The first step is to create a list of MAC addresses to be protected. The second step is to restrict access to these addresses only from an SHG or a SAP (if the MAC address of an upstream server is not known, it can be discovered using, for example, the CPE ping OAM tool).
The following example displays a partial BSA configuration with restricted access to some MAC addresses from a specified SAP (an unrestricted access from any other SAP within the VPLS).
A:ALA-48>config>service# info
----------------------------------------------
vpls 800 customer 6001 create
no shutdown
description "VPLS with restricted access on a SAP"
mac-protect
mac 00:00:17:FE:82:D8
mac 93:33:00:00:BF:92
exit
sap 1/1/4:30 create
restrict-unprotected-dst
exit
----------------------------------------------
A:ALA-48>config>service#