Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Verifying That MAC Limiting Is Working Correctly

MAC limiting protects against flooding of the Ethernet switching table by setting a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).

Junos OS provides two MAC limiting methods:

  • Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses can be ignored, dropped, or logged. You can also specify that the interface be shut down or temporarily disabled.
  • Allowed MAC addresses—You configure specific “allowed” MAC addresses for the access interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. The allowed MAC method binds MAC addresses to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

This topic includes the following tasks:

  1. Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
  2. Verifying That Allowed MAC Addresses Are Working Correctly
  3. Verifying That Interfaces Are Shut Down
  4. Customizing the Ethernet Switching Table Display to View Information for a Specific Interface

Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly

Purpose

Verify that MAC limiting for dynamic MAC addresses is working.

Action

Display the MAC addresses that have been learned. The following sample output shows the results of sending two packets from hosts connected to xe-1:0/0/1 and five packets from hosts connected to xe-1:0/0/2, with both interfaces configured with a MAC limit of 4 and the action drop: 

Ethernet-switching table:  7 entries, 6 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee-vlan        *                   Flood          -    xe-1:0/0/2.0
  employee-vlan        00:05:85:3A:82:77   Learn          0    xe-1:0/0/1.0
  employee-vlan        00:05:85:3A:82:79   Learn          0    xe-1:0/0/1.0
  employee-vlan        00:05:85:3A:82:80   Learn          0    xe-1:0/0/2.0
  employee-vlan        00:05:85:3A:82:81   Learn          0    xe-1:0/0/2.0
  employee-vlan        00:05:85:3A:82:83   Learn          0    xe-1:0/0/2.0
  employee-vlan        00:05:85:3A:82:85   Learn          0    xe-1:0/0/2.0

Meaning

The output shows that the fifth packet received on the xe-1:0/0/2 interface was dropped because it exceeded the MAC limit for that interface. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.

Verifying That Allowed MAC Addresses Are Working Correctly

Purpose

Verify that allowed MAC addresses are working.

Action

Display the MAC cache information after allowed MAC addresses have been configured on an interface. The following sample shows the MAC cache after four allowed MAC addresses had been configured on interface xe-1:0/0/2 and a fifth MAC address appeared on the interface.

Ethernet-switching table:  5 entries, 4 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee-vlan        00:05:85:3A:82:80   Learn          0    xe-1:0/0/2.0
  employee-vlan        00:05:85:3A:82:81   Learn          0    xe-1:0/0/2.0
  employee-vlan        00:05:85:3A:82:83   Learn          0    xe-1:0/0/2.0
  employee-vlan        00:05:85:3A:82:85   Learn          0    xe-1:0/0/2.0
  employee-vlan        *                   Flood          -    xe-1:0/0/2.0

Meaning

Because the fifth address was not allowed it was not learned, and an asterisk (*) rather than an address appears in the MAC address column in the last line of the sample output.

Verifying That Interfaces Are Shut Down

Purpose

Verify that an interface is shut down when the MAC limit is exceeded.

Action

For more information about interfaces that have been shut down because the MAC limit was exceeded, use the show ethernet-switching interfaces command.

user@switch> show ethernet-switching interfaces

Interface    State  VLAN members        Tag   Tagging  Blocking 

 

bme0.32770   		down   mgmt     untagged unblocked

xe-0/0/0.0  			down   v1       untagged MAC limit exceeded

xe- 0/0/1.0   			up     v1       untagged unblocked

xe-0/0/2.0   			up     v1       untagged unblocked

me0.0        		up     mgmt     untagged unblocked

Note: You can configure interfaces to recover automatically when the MAC limit has been exceeded by specifying the port-error-disable statement with a disable timeout value. The switch automatically restores the disabled interface to service when the disable timeout expires. The port-error-disable configuration does not apply to preexisting error conditions—it affects only error conditions that are detected after the port-error-disable statement has been enabled and the configuration has been committed. To clear a preexisting error condition and restore the interface to service, use the clear ethernet-switching port-error command.

Customizing the Ethernet Switching Table Display to View Information for a Specific Interface

Purpose

You can use the show ethernet-switching table command to view information for a specific interface.

Action

For example, to display the MAC addresses that have been learned on the xe-0/0/2 interface, enter:

user@switch> show ethernet-switching table interface xe-0/0/2.0 
Ethernet-switching table: 1 unicast entries

  VLAN              MAC address       Type         Age Interfaces

  v1                *                 Flood          - All-members

  v1                00:00:06:00:00:00 Learn          0 xe-0/0/2.0

Meaning

The MAC limit value for the xe-0/0/2 interface had been set to 1, and the output shows that only one MAC address was learned and added to the MAC cache.

 

Related Documentation

 

Published: 2014-07-23

Previous Page Next Page