Port Security using MC-LAG
Figure 11-20: Port security with MC-LAG
TOR1
#configgure termonal | Enter configure mode |
(config)#bridge 1 protocol provider-rstp edge | Create provider RSTP bridge |
(config)#vlan 2-10 type customer bridge 1 state enable | Enabling customer vlan for bridge |
(config)#vlan 2-10 type service point-point bridge 1 state enable | Enabling service vlan for bridge |
(config)#cvlan registration table map1 bridge 1 | Creating registration table |
(config-cvlan-registation)#cvlan 2 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registation)#cvlan 10 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registation)#exit | Exit registration table mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#exit | Exit interface mode |
(config)#interface po1 | Entering dynamic lag interface |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#mlag 3 | Enabling mlag group number |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1. |
(config-if)#switchport mode provider-network | Set the switching characteristics of this interface to provider network |
(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all VLAN |
(config-if)#exit | Enter interface mode |
(config)#interface xe3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1. |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow vlan 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
(config-if)#exit | Exit interface mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#switchport customer-edge vlan registration map1 | Configuring the registration table mapping on MLAG interface |
(config-if)#switchport port-security | Enabling port security |
(config-if)#switchport port-security maximum 10 | Limiting the maximum mac to 10 |
(config-if)#exit | Exit interface mode |
(config)#mcec domain configuration | Entering MCEC mode |
(config-mcec-domain)#domain-address 2222.2222.2222 | Domain address for the MLAG domain |
(config-mcec-domain)#domain-system-number 1 | Number to identify the node in a domain |
(config-mcec-domain)#exit | Exit MCEC mode |
(config)#intra-domain-link xe49/1 | Intra domain line between MLAG domain |
(config-if)#domain-priority 333 | Domain priority for MCEC |
TOR2
(config-if)#
#configure terminal | Enter configure mode |
(config)#bridge 1 protocol provider-rstp edge | Create provider RSTP bridge |
(config)#vlan 2-10 type customer bridge 1 state enable | Enabling customer VLAN for bridge |
(config)#vlan 2-10 type service point-point bridge 1 state enable | Enabling service VLAN for bridge |
(config)#cvlan registration table map1 bridge 1 | Creating registration table |
(config-cvlan-registation)#cvlan 2 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registation)#cvlan 10 svlan 2 | Mapping CVLAN to SVLAN |
(config-cvlan-registation)#exit | Exit registration table mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#exit | Exit interface mode |
(config)#interface po1 | Entering dynamic lag interface |
(config-if)#Switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#mlag 3 | Enabling MLAG group number |
(config-if)#exit | Exit interface mode |
(config)#interface xe49/1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1. |
(config-if)#switchport mode provider-network | Set the switching characteristics of this interface to provider network |
(config-if)#switchport provider-network allowed vlan all | Set the switching characteristics of this interface to provider network and allow all VLAN |
(config-if)#exit | Exit interface mode |
(config)#interface xe3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
bridge-group 1 | Associate the interface with bridge group 1 |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlan all | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system |
(config-if)#exit | Exit interface mode |
(config)#interface mlag3 | Entering MLAG interface |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode customer-edge hybrid | Set the switching characteristics of this interface to customer edge hybrid |
(config-if)#switchport customer-edge hybrid vlan 2 | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN 2 |
(config-if)#switchport customer-edge hybrid allowed vlanall | Set the switching characteristics of this interface to customer edge hybrid and allow VLAN all |
(config-if)#switchport customer-edge vlan registration map1 | Configuring the registration table mapping on MLAG interface |
(config-if)#exit | Exit interface mode |
mcec domain configuration | Entering MCEC mode |
(config-mcec-domain)#domain-address 2222.2222.2222 | Domain address for the MLAG domain |
(config-mcec-domain)#domain-system-number 2 | Number to identify the node in a domain |
(config-mcec-domain)#intra-domain-link xe49/1 | Intra domain line between MLAG domain |
(config-mcec-domain)#domain-priority 333 | Domain priority for MCEC |
SW1
configure terminal | Enter configuration mode |
(config)#bridge 1 protocol rstp vlan-bridge | Configuring the RSTP vlan bridge |
(config)#interface po1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
(config-if)#exit | Exit interface mode |
(config)#interface xe1/3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
(config-if)#exit | Exit interface mode |
(config)#interface xe1/1 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 spanning-tree disable | Associate the interface with bridge group 1 and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all vlan |
(config-if)#channel-group 1 mode active | Add this interface to channel group 1 and enable link aggregation so that it can be selected for aggregation by the local system. |
(config-if)#exit | Exit interface mode |
(config)#interface xe3/3 | Entering interface mode |
(config-if)#switchport | Configuring interface as switchport |
(config-if)#bridge-group 1 | Associate the interface with bridge group 1and disabling spanning-tree |
(config-if)#switchport mode hybrid | Set the switching characteristics of this interface hybrid |
(config-if)#switchport hybrid allowed vlan all | Set the switching characteristics of this interface hybrid and allowing all VLAN |
Validation
TOR1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 2 mlag3 0000.0500.0200 1 54
1 2 mlag3 0000.0500.0201 1 60
1 2 mlag3 0000.0500.0202 1 54
1 2 mlag3 0000.0500.0203 1 60
1 2 mlag3 0000.0500.0204 1 54
1 2 mlag3 0000.0500.0205 1 60
1 2 mlag3 0000.0500.0207 1 60
1 2 mlag3 0000.0500.0208 1 54
1 2 mlag3 0000.0500.0209 1 60
1 2 mlag3 0000.0500.020a 1 54
1 2 mlag3 0000.0500.020b 1 60
1 2 mlag3 0000.0500.020c 1 54
1 2 mlag3 0000.0500.020d 1 60
1 2 mlag3 0000.0500.020e 1 54
1 2 mlag3 0000.0500.020f 1 60
1 2 mlag3 0000.0500.0210 1 54
1 2 mlag3 0000.0500.0211 1 60
1 2 mlag3 0000.0500.0212 1 54
1 2 mlag3 cc37.abbb.ed9b 1 40
TOR1#sh port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
Mlag3 dynamic 10
TOR1#
TOR1#show mac address-table count bridge 1 interface mlag3
MAC Entries for all vlans:
Dynamic Address Count: 20
Static (User-defined) Unicast MAC Address Count: 0
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 20
TOR1#
Last modified date: 07-13-2023