the service instance, but violates the policy configured on the bridge domain), the response is always “Protect.”
This is not configurable.
In Restrict mode, the violation report is sent to SYSLOG at level LOG_WARNING.
Support for the different types of violation responses depends on the capabilities of the platform. The desired
violation response can be configured on the service instance. The configured violation response does not take
effect unless and until MAC security is enabled using the mac security command.
MAC Address Aging Configuration
A specific time scheduler can be set to age out secured MAC addresses that are dynamically learned or statically
configured on both service instances and bridge domains, thus freeing up unused addresses from the MAC
address table for other active subscribers.
The set of rules applied to age out secured MAC addresses is called secure aging. By default, the entries in
the MAC address table of a secured service instance are never aged out. This includes permitted addresses
and dynamically learned addresses.
The mac security aging time aging-time command sets the aging time of the addresses in the MAC address
table to <n > minutes. By default, this affects only dynamically learned (not including sticky)
addresses--permitted addresses and sticky addresses are not affected by the application of this command.
By default, the aging time <n> configured via the mac security aging time aging-time command is an absolute
time. That is, the age of the MAC address is measured from the instant that it was first encountered on the
service instance. This interpretation can be modified by using the mac security aging time aging-time
inactivity command, which specifies that the age <n> be measured from the instant that the MAC address
was last encountered on the service instance.
The mac security aging staticand mac security aging sticky commands specify that the mac security aging
timeaging-time command must be applicable to permitted and sticky MAC addresses, respectively. In the
case of permitted MAC addresses, the absolute aging time is measured from the time the address is entered
into the MAC address table (for example, when it is configured or whenever the mac security command is
entered--whichever is later).
If the mac security aging time command is not configured, the mac security aging static command has no
effect.
Sticky MAC Address Configurations
The ability to make dynamically learned MAC addresses on secured service instances permanent even after
interface transitions or device reloads can be set up and configured. A dynamically learned MAC address that
is made permanent on a secured service instance is called a “sticky MAC address”. The mac security sticky
command is used to enable the sticky MAC addressing feature on a service instance.
With the “sticky” feature enabled on a secured service instance, MAC addresses learned dynamically on the
service instance are kept persistent across service instance line transitions and device reloads.
The sticky feature has no effect on statically configured MAC addresses. The sticky addresses are saved in
the running configuration. Before the device is reloaded, it is the responsibility of the user to save the running
configuration to the startup configuration. Doing this will ensure that when the device comes on, all the MAC
addresses learned dynamically previously are immediately populated into the MAC address table.
The mac security sticky address mac-address command can configure a specific MAC address as a sticky
MAC address. The use of this command is not recommended for the user because configuring a MAC address
Layer 2 Configuration Guide for Cisco NCS 4200 Series
41
Configuring MAC Address Security on Service Instances and EVC Port Channels
MAC Address Aging Configuration
To Next Page
Loading...
