Carrier Ethernet Configuration Guide, Cisco IOS XE Release 3S
Configuring MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels
Downloads: This chapterpdf (PDF - 1.35 MB) The complete bookPDF (PDF - 6.63 MB) | Feedback

Configuring MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels

Contents

Configuring MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels

The MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels feature addresses port security with service instances by providing the capability to control and filter MAC address learning behavior at the granularity of a per-service instance. When a violation requires a shutdown, only the customer who is assigned to a given service instance is affected and--not all customers who are using the port.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels

  • An understanding of service instances and bridge domains.

  • An understanding of how port channels and EtherChannels work in a network.

Restrictions for MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels

MAC address limiting for service instances and bridge domains is configured under a service instance and is permitted only after the service instance is configured under a bridge domain. If a service instance is removed from a bridge domain, all the MAC address limiting commands under it are also removed. If a bridge domain is removed from a service instance, all the MAC address limiting commands are also removed.

Information About MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels

Ethernet Virtual Circuits, Service Instances, and Bridge Domains

An Ethernet virtual circuit (EVC) as defined by the Metro Ethernet Forum is a port-level point-to-point or multipoint-to-multipoint Layer 2 circuit. It is an end-to-end representation of a single instance of a Layer 2 service being offered by a provider to a customer. An EVC embodies the different parameters on which the service is being offered. A service instance is the instantiation of an EVC on a given port.

Support for Ethernet bridging is an important Layer 2 service that is offered on a router as part of an EVC. Ethernet bridging enables the association of a bridge domain with a service instance.

Service instances are configured under a port channel. The traffic carried by service instances is load-balanced across member links. Service instances under a port channel are grouped and each group is associated with one member link. Ingress traffic for a single service instance can arrive on any member of the bundle. All egress traffic for a service instance uses only one of the member links. Load-balancing is achieved by grouping service instances and assigning them to a member link.

For information about the Metro Ethernet Forum standards, see the “Standards” table in the “Additional References” section.

EVCs on Port Channels

An EtherChannel bundles individual Ethernet links into a single logical link that provides the aggregate bandwidth of up to eight physical links. The Ethernet Virtual Connection Services (EVCS) EtherChannel feature provides support for EtherChannels on service instances.


Note


The MAC Address Security on EVC Port Channel services is supported only on bridge domains over Ethernet and is not supported on xconnect services.


EVCS uses the concepts of EVCs and service instances.

Load balancing is done on an Ethernet flow point (EFP) basis where a number of EFPs exclusively pass traffic through member links.

MAC Address Permit List

A permit list is a set of MAC addresses that are permitted on a service instance. Permitted addresses permanently configured into the MAC address table of the service instance.

On a service instance that is a member of a bridge domain, the operator is permitted to configure one or more permitted MAC addresses.

The eligibility tests performed when a user tries to add a MAC address to the permit list on a service instance are as follows:

  • If the address is already a denied address on the service instance, the configuration is rejected with an appropriate error message.

  • If the acceptance of this address would increase the secure address count on the service instance beyond the maximum number allowed, an attempt is made to make room by removing an existing address from the MAC address table. The only candidate for removal is a dynamically learned address on the service instance. If sufficient room cannot be made, the configuration is rejected. If the acceptance of this address would increase the secure address count on the bridge domain beyond the maximum number allowed, an attempt is made to make room by removing an existing address from the MAC address table. The only candidate for removal is a dynamically learned address on the service instance. If room cannot be made, the configuration is rejected.

MAC Address Deny List

A deny list is a set of MAC addresses that are not permitted on a service instance. An attempt to learn a denied MAC address will fail. On a service instance that is a member of a bridge domain, the operator is permitted to configure one or more denied MAC addresses. The arrival of a frame with a source MAC address that is part of a deny list will trigger a violation response.

Before a denied address can be configured, the following test is performed:

  • If the address is already configured as a permitted address on the specific service instance or if the address has been learned and saved as a sticky address on the service instance, the configuration is rejected with an appropriate error message.

In all other cases, the configuration of the denied address is accepted. Typical cases include:

  • The address is configured as a permitted address on another service instance in the same bridge domain, or the address has been learned and saved as a sticky address on another service instance.

  • The address is present in the MAC table of the bridge domain as a dynamically learned address on the specific service instance and is deleted from the MAC table before the configuration is accepted.

MAC Address Limiting and Learning

An upper limit for the number of secured MAC addresses allowed on a bridge domain service instance can be configured. This limit includes addresses added as part of a permit list and dynamically learned MAC addresses.

Before an unknown MAC address is learned, a series of checks are run against a set of configured and operational constraints. If any of these checks fails, the address is not learned, and a configured violation response is triggered.

Static and Dynamic MAC Addresses

A static MAC address is specified as permitted on a service instance, by a mac security permitcommand. A dynamic MAC address is a source MAC address encountered by the service instance that is not present in the MAC table but is allowed into and learned by the MAC address table.

Dynamic MAC Address Learning

Dynamic MAC address learning occurs when the bridging data path encounters an ingress frame whose source address is not present in the MAC address table for the ingress secured service instance.

MAC Address Limiting on Service Instances

The user can configure the maximum number of MAC addresses that can exist in the MAC table that is associated with a service instance. This number includes statically configured and dynamically learned (including sticky) addresses.

MAC Address Limiting for Bridge Domains

An upper limit for the number of MAC addresses that can reside in the MAC address table of a bridge domain can be set. This is set independently of the upper limit of secured MAC addresses on the service instance. An attempted violation of this bridge domain MAC address limit will cause the MAC address learn attempt to fail, and the frame to be dropped.

If the bridge domain MAC address limit is not configured, then by default, the maximum number of MAC addresses allowed on a bridge domain is the maximum number that can be supported by that platform.

Relationship Between the MAC Address Limit on a Bridge Domain and on a Service Instance

You can specify the maximum count of MAC table entries on a bridge domain and on a service instance simultaneously. However, there are no restrictions on the count that is configured on the service instance.

The table below shows an example of an initial configuration where three service instances are configured on a bridge domain:

Table 1 Bridge-Domain and Service-Instance MAC Address Limit

Bridge-Domain / Service-Instance Number

MAC Address Limit

Bridge Domain 1000

20

Service Instance 1001

5

Service Instance 1002

10

Service Instance 1003

To be configured

If you wish to configure MAC security on service instance 1003, any value can be configured for the maximum count. For example:

service instance 1003 ethernet
bridge-domain 1
mac limit maximum addresses 35

A MAC address limit of 35 is permitted, even though the total MAC address limit for the three service instances (5 + 10 + 35) would exceed the count (20) configured on the bridge domain. Note that during actual operation, the bridge domain limit of 20 is in effect. The dynamic secure address count cannot exceed the lowest count applicable, so it is not possible for service instance 1003 to learn 35 addresses.

How to Configure MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels

Configuring MAC Address Limiting on a Bridge Domain

Perform this task to configure an upper limit for the number of secured MAC addresses that reside in a bridge domain.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    bridge-domain bridge-id

    4.    mac limit maximum addresses maximum-addresses

    5.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 bridge-domain bridge-id


    Example:
    Device(config)# bridge-domain 100
     

    Configures components on a bridge domain and enters bridge-domain configuration mode.

     
    Step 4 mac limit maximum addresses maximum-addresses


    Example:
    Device(config-bdomain)# mac limit maximum addresses 200
     

    Sets the MAC limit maximum addresses.

     
    Step 5 end

    Example:
    Device(config-bdomain)# end
     

    Returns to user EXEC mode.

     

    Configuring MAC Address Limiting on a Service Instance

    Perform this task to configure an upper limit for the number of secured MAC addresses allowed on a service instance. This number includes addresses added as part of a permit list as well as dynamically learned MAC addresses. If the upper limit is decreased, all learned MAC entries are removed.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    interface type number

      4.    service instance id ethernet

      5.    encapsulation dot1q vlan-id

      6.    bridge-domain bridge-id

      7.    mac limit maximum addresses maximum-addresses

      8.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 interface type number


      Example:
      Device(config)# interface gigabitethernet2/0/1
       

      Specifies the interface type and number, and enters interface configuration mode.

       
      Step 4 service instance id ethernet


      Example:
      Device(config-if)# service instance 100 ethernet
       

      Creates a service instance (an instance of an EVC) on an interface and enters service instance configuration mode.

       
      Step 5 encapsulation dot1q vlan-id


      Example:
      Device(config-if-srv)# encapsulation dot1q 100
       

      Defines the matching criteria to be used to map ingress dot1q frames on an interface to the appropriate service instance.

       
      Step 6 bridge-domain bridge-id


      Example:
      Device(config-if-srv)# bridge-domain 200
       

      Binds the service instance to a bridge- domain instance where bridge-id is the identifier for the bridge- domain instance.

       
      Step 7 mac limit maximum addresses maximum-addresses


      Example:
      Device(config-if-srv)# mac limit maximum address maximum-address
       

      Sets the maximum number of secure addresses permitted on the service instance.

       
      Step 8 end


      Example:
      Device(config-if-srv)# end
       

      Returns to user EXEC mode.

       

      Clearing All Dynamically Learned MAC Addresses on a Service Instance

      Perform this task to clear all dynamically learned MAC addresses on a service instance.

      SUMMARY STEPS

        1.    enable

        2.    clear ethernet service instance id id interface type number mac table

        3.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 clear ethernet service instance id id interface type number mac table


        Example:
        Device# clear ethernet service instance id 100 interface gigabitethernet1/1 mac table
        
         

        Clears all the dynamically learned MAC addresses on the specified service instance.

         
        Step 3 end


        Example:
        Device# end
         

        Returns to user EXEC mode.

         

        Clearing All Dynamically Learned MAC Addresses on a Bridge Domain

        Perform this task to clear all dynamically learned MAC addresses on a bridge domain.

        SUMMARY STEPS

          1.    enable

          2.    clear bridge-domain bridge-id mac table

          3.    end


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 clear bridge-domain bridge-id mac table


          Example:
          Device# clear bridge-domain 100 mac table
          
           

          Clears all dynamically learned MAC addresses on the specified bridge domain.

           
          Step 3 end


          Example:
          Device# end
           

          Returns to user EXEC mode.

           

          Configuration Examples for MAC Address Limiting on Service Instances and Bridge Domains and EVC Port Channels

          Example Configuring MAC Address Limiting on a Bridge Domain

          Device> enable
          Device# configure terminal
          Device(config)# bridge-domain 100
          Device(config-bdomain)# mac limit maximum addresses 1000
          Device(config-bdomain)# end
          

          Example Configuring a MAC Address Limit on a Service Instance

          Device> enable
          Device# configure terminal
          Device(config)# interface gigabitethernet 3/0/1
          Device(config-if)# service instance 100 ethernet
          Device(config-if-srv)# encapsulation dot1Q 100
          Device(config-if-srv)# bridge-domain 100
          Device(config-if-srv)# mac limit maximum addresses 10
          Device(config-if-srv)# end
          

          Additional References

          Related Documents

          Related Topic

          Document Title

          CFM commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

          Cisco IOS Carrier Ethernet Command Reference

          Cisco IOS commands: master list of commands with complete command syntax, command mode, command history, defaults, usage guidelines, and examples

          Cisco IOS Master Command List, All Releases

          Configuring Ethernet connectivity fault management in a service provider network (Cisco pre-Standard CFM Draft 1)

          "Configuring Ethernet Connectivity Fault Management in a Service Provider Network” module in the Cisco IOS Carrier Ethernet Configuration Guide

          Ethernet Local Management Interface on a provider edge device

          "Configuring Ethernet Local Management Interface on a Provider Edge Device” module in the Cisco IOS Carrier Ethernet Configuration Guide

          IP SLAs for Metro Ethernet

          "IP SLAs for Metro Ethernet"

          NSF/SSO and MPLS

          "NSF/SSO - MPLS LDP and LDP Graceful Restart"

          ISSU feature and functions

          "Cisco IOS Broadband High Availability In Service Software Upgrade"

          Performing an ISSU

          "Cisco IOS In Service Software Upgrade Process and Enhanced Fast Software Upgrade Process"

          SSO

          “Stateful Switchover” chapter of the Cisco IOS High Availability Configuration Guide

          Standards

          Standard

          Title

          IEEE 802.1ag Standard

          802.1ag - Connectivity Fault Management

          IEEE 802.3ah

          IEEE 802.3ah Ethernet in the First Mile

          IETF VPLS OAM

          L2VPN OAM Requirements and Framework

          ITU-T

          ITU-T Y.1731 OAM Mechanisms for Ethernet-Based Networks

          MIBs

          MIB

          MIBs Link

          CISCO-ETHER-CFM-MIB

          To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL:

          http:/​/​www.cisco.com/​go/​mibs

          RFCs

          RFC

          Title

          No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified.

          --

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 2 Feature Information for MAC Address Limiting on Service Instances, Bridge Domains, and EVC Port Channels

          Feature Name

          Releases

          Feature Information

          MAC Address Limiting on Service Instances and Bridge Domains

          Cisco IOS XE 3.7S

          The MAC Address Limiting on Service Instances and Bridge Domains feature addresses port security with service instances by providing the capability to control and filter MAC address learning behavior at the granularity of a per-service instance. When a violation requires a shutdown, only the customer that is assigned to a given service instance is affected. MAC address limiting is a type of MAC security and is also referred to as a MAC security component or element.

          The following commands were introduced or modified: bridge-domain (global), bridge-domain (service instance), clear bridge-domain mac-table, clear ethernet service instance, , interface, mac limit maximum addresses, ,show bridge-domain, show ethernet service instance.