Supported Platforms
Related Documentation
- EX, QFX Series
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- EX Series
- Verifying That MAC Limiting Is Working Correctly
- Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
- Understanding Bridging and VLANs on EX Series Switches
- no-allowed-mac-log
- show vlans
Configuring MAC Limiting (CLI Procedure)
This topic describes various ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the switch.
Before you can change a MAC limit that was previously set for an interface or a VLAN, you must first clear existing entries in the MAC address forwarding table that correspond to the change you want to make. Thus, to change the limit on an interface, first clear the MAC address forwarding table entries for that interface. To change the limit on all interfaces and VLANs, clear all MAC address forwarding table entries. To change the limit on a VLAN, clear the MAC address forwarding table entries for that VLAN.
To clear MAC addresses from the forwarding table:
- Clear MAC address entries from a specific interface (here,
the interface is ge-0/0/1) in the forwarding table:
user@switch> clear ethernet-switching-table interface ge-0/0/1 - Clear all MAC address entries in the forwarding table:
user@switch>clear ethernet-switching-table - Clear MAC address entries from a specific VLAN (here,
the VLAN is vlan-abc):
user@switch> clear ethernet-switching-table vlan vlan-abc
The different ways of setting a MAC limit are described in the following sections:
Configuring MAC Limiting for Port Security by Limiting the Number of MAC Addresses That Can be Learned on Interfaces
To configure MAC limiting for port security by setting a maximum number of MAC addresses that can be learned on interfaces.
- Apply the MAC limit on a single interface (here, the interface
is ge-0/0/1):
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 10When no action is specified for configuring the MAC limit on an interface, the switch performs the default action drop if the limit is exceeded.
- Apply the MAC limit on a single access interface, on the
basis of its membership within a specific VLAN (here, the interface
is ge-0/0/1 and the VLAN is v1.
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge–0/0/1 vlan v1 mac-limit 5With this type of configuration, the switch drops any additional packets if the limit is exceeded, and also logs a message.
- Apply the limit to all access interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all mac-limit 10When no action is specified for configuring the MAC limit on all interfaces, the switch performs the default action drop if the limit is exceeded:
Configuring MAC Limiting for Port Security by Specifying MAC Addresses That Are Allowed
You must clear existing entries in the MAC address forwarding table prior to changing the MAC address limit.
To configure MAC limiting for port security by specifying allowed MAC addresses:
- On a single interface (here, the interface is ge-0/0/2):
[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:83 - On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch#set interface all allowed-mac 00:05:85:3A:82:80
user@switch#set interface all allowed-mac 00:05:85:3A:82:81
user@switch#set interface all allowed-mac 00:05:85:3A:82:83
Configuring MAC Limiting for VLANs
You must clear existing entries in the MAC address forwarding table before you can change the MAC address limit.
MAC limiting for a VLAN restricts the MAC addresses that can be learned for that VLAN, but does not drop the packet. Therefore, setting the MAC limit on a VLAN is not considered a port-security feature.
 | Note: The configuration of specific allowed MAC addresses does not apply to VLANs. |
To configure MAC limiting for a VLAN using the CLI:
- Limit the number of dynamic MAC addresses on a VLAN:
If the MAC limit on a specific VLAN is exceeded, the switch logs the MAC addresses of packets that cause the limit to be exceeded. No other action is possible.
[edit vlans]
user@switch# set vlan-abc mac-limit 20Note: When you are applying a MAC limit on a VLAN, do not set mac-limit to 1 for a VLAN composed of Routed VLAN Interfaces (RVIs) or a VLAN composed of aggregated Ethernet bundles using LACP. In these cases, setting the mac-limit to 1 prevents the switch from learning MAC addresses other than the automatic addresses:
- For RVIs, the first MAC address inserted into the forwarding database is the MAC address of the RVI.
- For aggregated Ethernet bundles using LACP, the first MAC address inserted into the forwarding database in the forwarding table is the source address of the protocol packet.
If the VLAN is composed of regular access or trunk interfaces, you can set the mac-limit to 1 if you choose to do so.
Related Documentation
- EX, QFX Series
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- EX Series
- Verifying That MAC Limiting Is Working Correctly
- Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
- Understanding Bridging and VLANs on EX Series Switches
- no-allowed-mac-log
- show vlans
Published: 2012-12-10
Supported Platforms
Related Documentation
- EX, QFX Series
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- EX Series
- Verifying That MAC Limiting Is Working Correctly
- Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
- Understanding Bridging and VLANs on EX Series Switches
- no-allowed-mac-log
- show vlans
