Mac Security Disabled On A Service Instance - Cisco ASR 920 Series Configuration Manual Ethernet Router

Configuring MAC Address Limiting on Service Instances Bridge Domains and EVC Port Channels
If MAC address limits are exceeded, any MAC address that fails to get added is reported via an error message
to the console, the attempt to enable MAC security on the service instance fails, and the already added permitted
entries are backed out or removed.
The aging timer for all entries is updated according to the secure aging rules.

MAC Security Disabled on a Service Instance

The existing MAC address table entries for this service instance are purged.
Service Instance Moved to a New Bridge Domain
This transition sequence applies to all service instances, whether or not they have MAC security configured.
All the MAC addresses on this service instance in the MAC address table of the old bridge domain are removed.
The count of dynamically learned addresses in the old bridge domain is decremented. Then, all the MAC
security commands are permanently erased from the service instance.
Service Instance Removed from a Bridge Domain
All the MAC addresses in the MAC address table that attributable to this service instance are removed, and
the count of dynamically learned addresses in the bridge domain is decremented. Since MAC security is
applicable only on service instances that are members of a bridge domain, removing a service instance from
a bridge domain causes all the MAC security commands to be erased permanently.
Service Instance Shut Down Due to Violation
All dynamically learned MAC addresses in the MAC address table are removed, and all the other MAC
security state values are left unchanged. The only change is that no traffic is forwarded, and therefore no
learning can take place.
Interface Service Instance Down Linecard OIR Removed
The MAC tables of all the affected bridge domains are cleared of all the entries attributable to the service
instances that are down.
Interface Service Instance Re-activated Linecard OIR Inserted
The static and sticky address entries in the MAC tables of the affected bridge domains are re-created to the
service instances that are activated.
MAC Address Limit Decreased
When the value of the MAC address limit on the service instance is changed initially, a sanity check is
performed to ensure that the new value of <n> is greater than or equal to the number of permitted entries. If
not, the command is rejected. The MAC table is scanned for addresses that are attributable to this service
instance, and dynamically learned MAC addresses are removed when the new MAC address limit is less than
the old MAC address limit.
Carrier Ethernet Configuration Guide (Cisco ASR 920 Series)
Transitions
89