Secured MACs Learned Dynamically
Figure 16-35: Secured MACs learned dynamically
Send Layer 2 traffic with incremental source MAC of 100 and with VLAN 100 from IXIA1. Because the maximum limit is configured to 3, only 3 secure MAC addresses will be learned by SW1.
SW1
#configure terminal | Enter configure mode. |
(config)#hostname SW1 | Set the host name |
(config)#bridge 1 protocol rstp vlan-bridge | Create a RSTP VLAN bridge on customer side |
(config)#vlan database | Enter vlan database mode. |
(config)#vlan 2-200 bridge 1 state enable | Configure VLAN for the bridge |
(config-vlan)#eixt | Exit from vlan database mode. |
(config)#interface ge1 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode hybrid | Configure the mode as trunk |
(config-if)#switchport hybrid allowed vlan all | Configure allowed VLAN all on the interface |
(config-if)#switchport port-security | Enable port security mode dynamic |
(config-if)#switchport port-security maximum 3 | Limit secure MAC to 3 mac addresses. |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
(config)#interface ge2 | Enter interface mode |
(config-if)#switchport | Make the interface Layer 2 |
(config-if)#bridge-group 1 | Associate the interface to bridge |
(config-if)#switchport mode hybrid | Configure the mode as trunk |
(config-if)#switchport hybrid allowed vlan all | Configure allowed VLAN all on the interface |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
(config)#logging monitor 7 | Enable logging level as 7 for debugging |
(config-if)#commit | Commit the candidate configuration to the running configuration. |
(config-if)#exit | Exit interface mode |
Validation
Validation commands are show port-security, show port-security interface <ifname>, show mac address-table count bridge 1, show bridge, and show mac address-table bridge 1.
SW1#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
-------+-------------------+---------+------+------+-----------------
ge1 dynamic 3
SW1#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
------+------+----------------
SW1#show mac address-table count bridge 1
MAC Entries for all vlans:
Dynamic Address Count: 3
Static (User-defined) Unicast MAC Address Count: 0
Static (User-defined) Multicast MAC Address Count: 0
Total MAC Addresses in Use: 3
SW1#show bridge
Ageout time is global and if something is configured for vxlan then it will be affected here also
Bridge CVLAN SVLAN BVLAN Port MAC Address FWD Time-out
---------+------+------+------+-----------+-----------------+-----+---------+
1 100 ge1 0000.0300.0500 1 100
1 100 ge1 0000.0300.055b 1 100
1 100 ge1 0000.0300.055c 1 100
SW1#show mac address-table bridge 1
CVLAN SVLAN MAC Address Type Ports Port-security
------+------+---------------+---------+---------+--------------
100 0000.0300.0500 dynamic ge1 Enable
100 0000.0300.055b dynamic ge1 Enable
100 0000.0300.055c dynamic ge1 Enable
Last modified date: 10/12/2023