Use this procedure to create, delete, or lock a MAC address on a port. Does not apply to circuit packs provisioned for NOTAG mode. See MAC Addressing/Learning and MAC Address Locking at the end of this procedure for additional information.
The Configuration → Data → Create (or Delete) MAC Address command ( ent-mac/dlt-mac TL1 command) from the System View menu allows you to create/delete or modify a MAC address + VLAN ID (VID) on a port. Use the command to provision persistent and filtered MAC addresses. A persistent MAC will bypass the normal aging process. Filtering on a MAC source address allows an operator to drop frames from a disruptive user based on the MAC address. Ethernet frames received by any port in that VLAN on the pack (Virtual Switch on the LNW70/LNW170/LNW78) with the MAC as filtered will be dropped.
When provisioning a MAC address, the MAC address must be valid, a VLAN/Port Tag must be specified, and the type must be specified. The VLAN or Port Tag must already exist in the Virtual Switch (VS) and be assigned to the selected LAN/WAN port. Unicast only MAC addresses are supported.
MAC Address Locking restricts access to an Ethernet bridged network. The MAC source address (SA) of traffic entering a locked port must match a persistent MAC address provisioned for that port. Any LAN, VCG, or Link Aggregation Group (LAG) may be put in the MAC address locking mode using the ed-eport/ed-vcg TL1 commands or the WaveStar® CIT Configuration → Equipment command. MAC address locking applies to LNW70/LNW170 circuit packs only.
Prior to performing this procedure, refer to Before you begin and Required equipment in this chapter and you must have complete work instructions for this procedure that detail:
Use the following procedure to provision MAC Addresses/MAC Address Locking:
1 |
Use the WaveStar® CIT to log in to the Alcatel-Lucent 1665 DMX shelf. Reference: Procedure 14-2: Connect Personal Computer (PC) and establish WaveStar® CIT session | ||||||
2 |
| ||||||
3 |
Select Configuration → Data → Create (or Delete) MAC Address from the System View menu. Result: The Create MAC Address or Delete MAC Address window opens. | ||||||
4 |
Select the circuit pack being provisioned, then click Select. Result: The Create MAC Address or Delete MAC Address for "circuit pack AID" window opens. | ||||||
5 |
Click on an entry in the table presented to Create/Modify an entry (if Create was chosen), or to Delete an entry (if Delete was chosen). Result: A window opens displaying the parameters you have chosen and the options you may perform. | ||||||
6 |
Select the required options (parameters) in the display window to add/modify/delete the necessary parameters. | ||||||
7 |
Click on one of the buttons at the bottom of the window to Create/Modify or Delete the selections, as required. End of MAC Address provisioning. If required, continue with the next step to Enable/Disable MAC Address Locking. | ||||||
8 |
Select Configuration → Equipment from the System View menu. Expand the details for the circuit pack being provisioned, select the port, then click Select at the bottom of the window. | ||||||
9 |
Click on the Traffic Provisioning tab at the top of the window. | ||||||
10 |
For Locked Source Address, select ENABLE or DISABLE, as required. Click Apply, read the warning message, then click Yes to execute the command. Click Close to exit. End of steps |
When an Ethernet frame is received on a port, the source MAC address + VLAN ID (MAC + VID) can be learned by the port if the port is a member of that VLAN, and the MAC + VID has not been provisioned as persistent on another port in the VS. If a frame is subsequently received with the same MAC + VID by a different port in the same VLAN and VS, the MAC+VID is forgotten on the old port and learned on the new. Source addresses are learned so that when a frame is received on a port in the VS with that MAC+VID as its destination address, it will be forwarded only to the port which has learned that address. In this regard, provisioned persistent addresses behave as permanently learned addresses.
When changing VLAN tagging mode, the MAC+VLAN addresses are cleared by the deletion of the virtual switch. When the VLAN tagging mode is set to private line (NO TAG), this feature is disabled and all TL1 MAC address commands are denied.
The Configuration → Data → Create (or Delete) MAC Address command ( ent-mac/dlt-mac TL1 command) from the System View menu allows you to create/delete or modify a MAC address on a port. Use the command to provision persistent and filtered MAC addresses. See Table 11-4, ENT-MAC command provisionable parameters for a list of provisionable parameters.
Table 11-4, ENT-MAC command provisionable parameters lists the provisionable parameters for the ent-mac command.
MAC Address Locking applies only to LNW70/LNW170 circuit pack ports.
Any LNW70/LNW170 Ethernet LAN or VCG port may be put in the MAC address locking mode using the “locked_sa” parameter in the ed-eport/ed-vcg commands or the WaveStar® CIT Configuration → Equipment command, selecting the port, clicking on the Traffic Provisioning tab, then selecting ENABLE for the Locked Source Address.
Only MAC addresses of type “persistent” are allowed for a locked port. Before entering locked mode, all static MAC entries of type "filtered" must have been removed.
Other features are as follows:
Frames received with a source address plus VLAN ID (SA + VID) matching a static entry of type persistent for that port are admitted. All other frames ingressing the port are discarded.
Multiple locked persistent entries can be applied to the port. Multiple ports may be locked. Frames received on one locked port having the locked SA+VID for another are dropped.
No other port in the virtual switch can have the same persistent entry. A persistent address cannot be learned in its VLAN on any port in the virtual switch. If frames having a destination address plus VLAN ID (DA + VID) of a locked address are received on another port in the virtual switch, they are sent only to the locked_sa port
When entering locked mode, all dynamic entries for the port are flushed. A port in locked mode does not learn addresses.
Unlocked ports can still have persistent entries (including for a locked address, but only in a different VLAN or VS). So a client of a locked port can send traffic to a DA which may be routed by learning or by another port’s persistent entry, the same as for an unlocked port.
A LAG may be locked. The persistent address belongs to the LAG, not the member ports. The locked source address parameter is set to its initial value if a port is removed from a virtual switch.
November 2011 | Copyright © 2011 Alcatel-Lucent. All rights reserved. |