Mac Address Aging Configuration - Cisco ASR 920 Series Configuration Manual Ethernet Router
Hide thumbs
Also See for ASR 920 Series:
- Installing manual (74 pages) ,
- Configuration manual (68 pages) ,
- Configuration (52 pages)
Table of Contents
Advertisement
Configuring MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels
MAC Address Aging Configuration
Type 2 Violation --The address of the ingress frame cannot be dynamically learned because it is already
"present" on another secured service instance (see the
MAC Move and MAC Locking, on page
86).
There are three possible sets of actions that can be taken in response to a violation:
1 Shutdown
2 The ingress frame is dropped.
3 The service instance on which the offending frame arrived is shut down.
4 The violation count is incremented, and the violating address is recorded for later CLI display.
5 The event and the response are logged to SYSLOG.
6 Restrict
7 The ingress frame is dropped.
8 The violation count is incremented, and the violating address is recorded for display.
9 The event and the response are logged to SYSLOG.
10 Protect
11 The ingress frame is dropped.
If a violation response is not configured, the default response mode is shutdown. The violation response can
be configured to protect or restrict mode. A "no" form of a violation response, sets the violation response to
the default mode of shutdown.
You are allowed to configure the desired response for a Type 1 and Type 2 violations on a service instance.
For a Type 1 violation on a bridge domain (that is, if the learn attempt conforms to the policy configured on
the service instance, but violates the policy configured on the bridge domain), the response is always "Protect."
This is not configurable.
In Restrict mode, the violation report is sent to SYSLOG at level LOG_WARNING.
Support for the different types of violation responses depends on the capabilities of the platform. The desired
violation response can be configured on the service instance. The configured violation response does not take
effect unless and until MAC security is enabled using the mac security command.
MAC Address Aging Configuration
A specific time scheduler can be set to age out secured MAC addresses that are dynamically learned or statically
configured on both service instances and bridge domains, thus freeing up unused addresses from the MAC
address table for other active subscribers.
The set of rules applied to age out secured MAC addresses is called secure aging. By default, the entries in
the MAC address table of a secured service instance are never aged out. This includes permitted addresses
and dynamically learned addresses.
The mac security aging time aging-time command sets the aging time of the addresses in the MAC address
table to <n > minutes. By default, this affects only dynamically learned (not including sticky)
addresses--permitted addresses and sticky addresses are not affected by the application of this command.
By default, the aging time <n> configured via the mac security aging time aging-time command is an absolute
time. That is, the age of the MAC address is measured from the instant that it was first encountered on the
service instance. This interpretation can be modified by using the mac security aging time aging-time
Carrier Ethernet Configuration Guide (Cisco ASR 920 Series)
87
- Quick Links:
- Bridge Domains
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
