- play_arrow Understanding Layer 2 Networking
- play_arrow Configuring MAC Learning
- play_arrow Configuring MAC Accounting
- play_arrow Configuring MAC Notification
- play_arrow Configuring MAC Table Aging
- play_arrow Configuring Learning and Forwarding
- play_arrow Configuring Bridging and VLANs
- play_arrow Configuring 802.1Q VLANs
- 802.1Q VLANs Overview
- 802.1Q VLAN IDs and Ethernet Interface Types
- Configuring Dynamic 802.1Q VLANs
- Enabling VLAN Tagging
- Configuring Tagged Interface with multiple tagged vlans and native vlan
- Sending Untagged Traffic Without VLAN ID to Remote End
- Configuring Tag Protocol IDs (TPIDs) on QFX Series Switches
- Configuring Flexible VLAN Tagging on PTX Series Packet Transport Routers
- Configuring an MPLS-Based VLAN CCC with Pop, Push, and Swap and Control Passthrough
- Binding VLAN IDs to Logical Interfaces
- Associating VLAN IDs to VLAN Demux Interfaces
- Configuring VLAN and Extended VLAN Encapsulation
- Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface
- Example: Configuring a Layer 2 VPN Routing Instance on a VLAN-Bundled Logical Interface
- Specifying the Interface Over Which VPN Traffic Travels to the CE Router
- Configuring Access Mode on a Logical Interface
- Configuring a Logical Interface for Trunk Mode
- Configuring the VLAN ID List for a Trunk Interface
- Configuring a Trunk Interface on a Bridge Network
- Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance
- Configuring a VLAN-Bundled Logical Interface to Support a Layer 2 VPN Routing Instance
- Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface
- Example: Configuring a Layer 2 Circuit on a VLAN-Bundled Logical Interface
- Guidelines for Configuring VLAN ID List-Bundled Logical Interfaces That Connect CCCs
- Specifying the Interface to Handle Traffic for a CCC
- Specifying the Interface to Handle Traffic for a CCC Connected to the Layer 2 Circuit
- play_arrow Configuring Static ARP Table Entries
- play_arrow Configuring Restricted and Unrestricted Proxy ARP
- play_arrow Configuring Gratuitous ARP
- play_arrow Adjusting the ARP Aging Timer
- play_arrow Configuring Tagged VLANs
- play_arrow Stacking and Rewriting Gigabit Ethernet VLAN Tags
- Stacking and Rewriting Gigabit Ethernet VLAN Tags Overview
- Stacking and Rewriting Gigabit Ethernet VLAN Tags
- Configuring Frames with Particular TPIDs to Be Processed as Tagged Frames
- Configuring Tag Protocol IDs (TPIDs) on PTX Series Packet Transport Routers
- Configuring Stacked VLAN Tagging
- Configuring Dual VLAN Tags
- Configuring Inner and Outer TPIDs and VLAN IDs
- Stacking a VLAN Tag
- Stacking Two VLAN Tags
- Removing a VLAN Tag
- Removing the Outer and Inner VLAN Tags
- Removing the Outer VLAN Tag and Rewriting the Inner VLAN Tag
- Rewriting the VLAN Tag on Tagged Frames
- Rewriting a VLAN Tag on Untagged Frames
- Rewriting a VLAN Tag and Adding a New Tag
- Rewriting the Inner and Outer VLAN Tags
- Examples: Stacking and Rewriting Gigabit Ethernet IQ VLAN Tags
- Understanding Transparent Tag Operations and IEEE 802.1p Inheritance
- Understanding swap-by-poppush
- Configuring IEEE 802.1p Inheritance push and swap from the Transparent Tag
- play_arrow Configuring Private VLANs
- Private VLANs
- Understanding Private VLANs
- Bridge Domains Setup in PVLANs on MX Series Routers
- Bridging Functions With PVLANs
- Flow of Frames on PVLAN Ports Overview
- Guidelines for Configuring PVLANs on MX Series Routers
- Configuring PVLANs on MX Series Routers in Enhanced LAN Mode
- Example: Configuring PVLANs with Secondary VLAN Trunk Ports and Promiscuous Access Ports on a QFX Series Switch
- IRB Interfaces in Private VLANs on MX Series Routers
- Guidelines for Configuring IRB Interfaces in PVLANs on MX Series Routers
- Forwarding of Packets Using IRB Interfaces in PVLANs
- Configuring IRB Interfaces in PVLAN Bridge Domains on MX Series Routers in Enhanced LAN Mode
- Example: Configuring an IRB Interface in a Private VLAN on a Single MX Series Router
- play_arrow Configuring Layer 2 Bridging Interfaces
- play_arrow Configuring Layer 2 Virtual Switch Instances
- play_arrow Configuring Link Layer Discovery Protocol
- play_arrow Configuring Layer 2 Protocol Tunneling
- play_arrow Configuring Virtual Routing Instances
- play_arrow Configuring Layer 3 Logical Interfaces
- play_arrow Configuring Routed VLAN Interfaces
- play_arrow Configuring Integrated Routing and Bridging
- play_arrow Configuring VLANS and VPLS Routing Instances
- play_arrow Configuring Multiple VLAN Registration Protocol (MVRP)
- play_arrow Configuring Ethernet Ring Protection Switching
- play_arrow Configuring Q-in-Q Tunneling and VLAN Translation
- play_arrow Configuring Redundant Trunk Groups
- play_arrow Configuring Proxy ARP
- play_arrow Configuring Layer 2 Interfaces on Security Devices
- play_arrow Configuring Security Zones and Security Policies on Security Devices
- play_arrow Configuring Ethernet Port Switching Modes on Security Devices
- play_arrow Configuring Ethernet Port VLANs in Switching Mode on Security Devices
- play_arrow Configuring Secure Wire on Security Devices
- play_arrow Configuring Reflective Relay on Switches
- play_arrow Configuring Edge Virtual Bridging
- play_arrow Troubleshooting Ethernet Switching
- play_arrow Configuration Statements and Operational Commands
ON THIS PAGE
MAC Addresses
Introduction to the Media Access Control (MAC) Layer 2 Sublayer
This topic provides an introduction to the MAC sublayer of the data link layer (Layer 2).
In Layer 2 of a network, the Media Access Control (MAC) sublayer provides addressing and channel access control mechanisms that enable several terminals or network nodes to communicate in a network.
The MAC sublayer acts as an interface between the logical link control (LLC) Ethernet sublayer and Layer 1 (the physical layer). The MAC sublayer emulates a full-duplex logical communication channel in a multipoint network. This channel may provide unicast, multicast, or broadcast communication service. The MAC sublayer uses MAC protocols to prevent collisions.
In Layer 2, multiple devices on the same physical link can uniquely identify one another at the data link layer, by using the MAC addresses that are assigned to all ports on a switch. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC address.
A MAC address is a 12-digit hexadecimal number (48 bits in long). MAC addresses are usually written in one of these formats:
MM:MM:MM:SS:SS:SS
MM-MM-MM-SS-SS-SS
The first half of a MAC address contains the ID number of the adapter manufacturer. These IDs are regulated by an Internet standards body. The second half of a MAC address represents the serial number assigned to the adapter by the manufacturer.
Contrast MAC addressing, which works at Layer 2, with IP addressing, which runs at Layer 3 (networking and routing). One way to remember the difference is that the MAC addresses apply to a physical or virtual node, whereas IP addresses apply to the software implementation of that node. MAC addresses are typically fixed on a per-node basis, whereas IP addresses change when the node moves from one part of the network to another.
IP networks maintain a mapping between the IP and MAC addresses of a node using the Address Resolution Protocol (ARP) table. DHCP also typically uses MAC addresses when assigning IP addresses to nodes.
See Also
Understanding MAC Address Assignment on an EX Series Switch
This topic describes MAC address assignment for interfaces on standalone Juniper Networks EX Series Ethernet Switches. For information regarding MAC address assignments in a Virtual Chassis, see Understanding MAC Address Assignment on a Virtual Chassis.
MAC addresses are used to identify network devices at Layer 2. Because all Layer 2 traffic decisions are based on an interface’s MAC address, understanding MAC address assignment is important to understanding how network traffic is forwarded and received by the switch. For additional information on how a network uses MAC addresses to forward and receive traffic, see Understanding Bridging and VLANs on Switches.
A MAC address comprises six groups of two hexadecimal digits, with each group separated from the next group by a colon—for instance, aa:bb:cc:dd:ee:00. The first five groups of hexadecimal digits are derived from the switch and are the same for all interfaces on the switch.
The assignment of a unique MAC address to each network interface helps ensure that functions that require MAC address differentiation—such as redundant trunk groups (RTGs), Link Aggregation Control Protocol (LACP), and general monitoring functions—can properly function.
On switches that use line cards, this MAC addressing scheme differentiates the Layer 2 interfaces on different line cards in the switch.
For EX Series switches, the first five groups of hexadecimal digits are determined when the switch is manufactured. The switch then assigns a unique MAC address to each interface by assigning a unique identifier as the last group of hexadecimal digits. The assignment depends on how the interface is configured. The switch uses a different pattern to distinguish between an interface that is configured as any of a routed VLAN interface (RVI), a virtual management Ethernet (VME) interface, or an aggregated Ethernet interface or is not configured as any of an RVI, a VME, or as an aggregated Ethernet interface.
For aggregated Ethernet interfaces, the MAC address assignment remains constant regardless of whether the configuration of the interface is Layer 2 or Layer 3.
In Junos OS Release 11.3 and later releases through Release 12.1, the MAC address assignment for aggregated Ethernet interfaces changes if the interface is changed from Layer 2 to Layer 3 or the reverse. Starting with Junos Release 12.2, the MAC address assignment for aggregated Ethernet interfaces remains constant regardless of whether the interface is Layer 2 or Layer 3.
Prior to Junos OS Release 11.3, MAC addresses for Layer 2 interfaces could be shared between interfaces and RVIs on different line cards in the same switch. However, if you upgrade from Junos OS Release 11.2 or earlier to Junos OS Release 11.3 or later on a switch that supports line cards, the MAC addresses of these interfaces will change.
MAC addresses are assigned to interfaces automatically—no
user configuration is possible or required. You can view MAC addresses
assigned to interfaces using the show interfaces command.
See Also
Configuring MAC Move Parameters
When a MAC address appears on a different physical interface
or within a different unit of the same physical interface and this
behavior occurs frequently, it is considered a MAC move. You can configure
the router to report a MAC address move based on the following parameters:
the number of times a MAC address move occurs, a specified period
of time over which the MAC address move occurs, and specified number
of times a MAC address move occurs in one second. You can only configure
the global-mac-move statement at the global hierarchy level.
To globally disable the MAC move action feature, include the disable-action statement at the [edit protocols l2-learning
global-mac-move]. This disables the MAC move action feature,
while MAC move detection exists.
To configure the time duration after which the port will be
unblocked, include the reopen-time statement at the [edit protocols l2-learning global-mac-move]. The default reopen
timer is 180 second.
To configure MAC address move reporting if the MAC address moves
at least a specified number of times in one second, include the threshold-time statement at the [edit protocols l2-learning
global-mac-move] hierarchy level. The default threshold time
is 1 second.
To configure reporting of a MAC address move if the MAC address
moves for a specified period of time, include the notification-time statement at the [edit protocols l2-learning global-mac-move] hierarchy level. The default notification timer is 1 second.
To configure reporting of a MAC address move if the MAC address
moves a specified number of times, include the threshold-count statement at the [edit protocols l2-learning global-mac-move] hierarchy level. The default threshold count is 50 moves.
Use the show l2-learning mac-move-buffer command
to view the actions as a result of MAC address move feature.
Use the show l2-learning mac-move-buffer active command
to view the set of IFLs blocked as a result of MAC move action.
Use the exclusive-mac command exclude a MAC address
from the MAC move limit algorithm, preventing a MAC address from being
tracked.
Use the clear l2-learning mac-move-buffer active command
to unblock the IFBDs that were blocked by MAC move action feature.
This allows the user to keep the reopen-time configured
to a large value, but when the looping error is fixed, user can manually
release the blocking.
The following example sets the notification time for MAC moves to 1 second, the threshold time to 1 second, reopen-time to 180 seconds and the threshold count to 50 moves.
[edit protocols l2-learning]
global-mac-move {
notification-time 1;
reopen-time 180;
threshold-count 50;
threshold-time 1;
}
Configuring MAC Limiting (ELS)
This topic describes the different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the device.
The tasks presented in this section uses Junos OS for EX Series switches, QFX3500 and QFX3600 switches, and PTX Series routers that support the Enhanced Layer 2 Software (ELS) configuration style. See Using the Enhanced Layer 2 Software CLI for more information about ELS configurations.
For information on configuring an interface to automatically recover from a shutdown caused by MAC limiting, see Configuring Autorecovery for Port Security Events. If you do not configure the device for autorecovery from the disabled condition, you can bring up the disabled interfaces by running the
clear ethernet-switching recovery-timeoutcommand.
The different ways of setting a MAC limit are described in the following sections:
- Limiting the Number of MAC Addresses Learned by an Interface
- Limiting the Number of MAC Addresses Learned by a VLAN
- Limiting the Number of MAC Addresses Learned by an Interface in a VLAN
Limiting the Number of MAC Addresses Learned by an Interface
On PTX Series routers, you can limit the number of MAC addresses learned by an interface only.
To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface.
[edit switch-options] user@switch# set interface interface-name interface-mac-limit limit packet-action action
[edit routing-instances] user@switch# set routing-instance-name switch-options interface interface-name interface-mac-limit limit
[edit switch-options] user@switch# set interface-mac-limit limit
[edit routing-instances] user@switch# set routing-instance-name switch-options interface-mac-limit limit
After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.
Limiting the Number of MAC Addresses Learned by a VLAN
To limit the number of MAC addresses learned by a VLAN, perform the following steps:
[edit vlans] user@switch# set vlan-name switch-options mac-table-size limit packet-action action
Limiting the Number of MAC Addresses Learned by an Interface in a VLAN
To limit the number of MAC addresses learned by an interface in a VLAN, perform the following steps:
Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELS Support
This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table. For ELS details, see Using the Enhanced Layer 2 Software CLI.
The Ethernet switching table, also known as the forwarding table, specifies the known locations of VLAN nodes and the addresses of devices within those nodes. There are two ways to populate the Ethernet switching table on a switch. The easiest method is to let the switch update the table with MAC addresses.
The second way to populate the Ethernet switching table is to manually insert addresses into the table. You can do this to reduce flooding and speed up the switch’s automatic learning process.
Before configuring a static MAC address, be sure that you have:
Set up the VLAN. See Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure).
To configure an interface to have a static MAC address:
[edit vlans vlan-name switch-options interface interface-name] user@switch# set static-mac mac-address
Adding a Static MAC Address Entry to the Ethernet Switching Table
This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELS Support. For ELS details, see Using the Enhanced Layer 2 Software CLI.
The Ethernet switching table, also known as the forwarding table, specifies the known locations of VLAN nodes. There are two ways to populate the Ethernet switching table on a switch. The easiest method is to let the switch update the table with MAC addresses.
The second way to populate the Ethernet switching table is to manually insert a VLAN node location into the table. You can do this to reduce flooding and speed up the switch’s automatic learning process. To further optimize the switching process, indicate the next hop (next interface) packets will use after leaving the node.
Before configuring a static MAC address, be sure that you have:
Set up the VLAN. See Configuring VLANs for EX Series Switches orConfiguring VLANs on Switches.
To add a MAC address to the Ethernet switching table:
Specify the MAC address to add to the table:
content_copy zoom_out_map[edit ethernet-switching-options] set static vlan vlan-name mac mac-address
Indicate the next hop MAC address for packets sent to the indicated MAC address:
content_copy zoom_out_map[edit ethernet-switching-options] set static vlan vlan-name mac mac-address next-hop interface
Example: Configuring the Default Learning for Unknown MAC Addresses
This example shows how to configure the device to use only ARP requests to learn the outgoing interfaces for unknown destination MAC addresses.
Requirements
Before you begin, determine the MAC addresses and associated interfaces of the forwarding table. See Layer 2 Learning and Forwarding for VLANs Overview.
Overview
In this example, you configure the device to use only ARP queries without traceroute requests.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security flow ethernet-switching no-packet-flooding no-trace-route
Step-by-Step Procedure
To configure the device to use only ARP requests to learn unknown destination MAC addresses:
Enable the device.
content_copy zoom_out_map[edit] user@host# set security flow ethernet-switching no-packet-flooding no-trace-route
If you are done configuring the device, commit the configuration.
content_copy zoom_out_map[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security flow command.
