- play_arrow Layer 2 Bridging
- play_arrow Layer 2 Learning and Forwarding for Bridge Domains Functioning as Switches
- play_arrow Layer 2 Virtual Switches
- play_arrow Configuration Statements and Operational Commands
ON THIS PAGE
Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain
Configuring the Size of the MAC Address Table for a Bridge Domain
Limiting MAC Addresses Learned from an Interface in a Bridge Domain
Disabling MAC Learning for a Bridge Domain or Logical Interface
Preventing Communication Among Customer Edge Devices as ACX Routers
Configure MAC Address for Layer 2 Learning and Forwarding
Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain
You can manually add static MAC entries for the logical interfaces in a bridge domain. You can specify one or more static MAC addresses for each logical interface.
To add a static MAC address for a logical interface in
a bridge domain, include the static-mac mac-address statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] hierarchy level.
[edit]
bridge-domains {
bridge-domain-name {
domain-type bridge;
bridge-options {
interface interface-name {
static-mac mac-address {
<vlan-id number>;
}
}
}
}
}
You can optionally specify a VLAN identifier for the static
MAC address by using the vlan-id statement. To specify
a VLAN identifier for a static MAC address, you must use the all option when configuring a VLAN identifier for the bridge domain.
If a static MAC address you configure for a logical interface appears on a different logical interface, packets sent to that interface are dropped.
Configuring the Size of the MAC Address Table for a Bridge Domain
You can modify the size of the MAC address table for each bridge domain. The default table size is 5120 addresses. The minimum you can configure is 16 addresses, and the maximum is 1,048,575 addresses.
If the MAC table limit is reached, new addresses can no longer be added to the table. Unused MAC addresses are removed from the MAC address table automatically. This frees space in the table, allowing new entries to be added.
To modify the size of the MAC table, include the mac-table-size limit statement at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:
[edit] bridge-domains { bridge-domain-name { domain-type bridge; bridge-options { mac-table-size limit { packet-action drop; } } } }
Limiting MAC Addresses Learned from an Interface in a Bridge Domain
You can configure a limit on the number of MAC addresses learned from a specific bridge domain or from a specific logical interface that belongs to a bridge domain.
To configure a limit for the number of MAC addresses
learned from each logical interface in a bridge domain, include the interface-mac-limit limit statement at
the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:
[edit] bridge-domains { bridge-domain-name { domain-type bridge; interface interface-name; bridge-options { interface-mac-limit limit; } } }
To limit the number of MAC addresses learned from a specific
logical interface in a bridge domain or an entire bridge domain, include
the interface-mac-limit limit statement
at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] or [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:
[edit] bridge-domains { bridge-domain-name { domain-type bridge; interface interface-name; bridge-options { interface-mac-limit limit{ packet-action drop; } interface interface-name { interface-mac-limit limit{ packet-action drop; } } } } }
For an access port, the default limit on the maximum number
of MAC addresses that can be learned on an access port is 1024. Because
an access port can be configured in only one bridge domain in a network
topology, the default limit is 1024 addresses, which is same as the
limit for MAC addresses learned on a logical interface in a bridge
domain (configured by including the interface-mac-limit limit statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] or [edit bridge-domains bridge-domain-name bridge-options] hierarchy level.
For a trunk port, the default limit on the maximum number of
MAC addresses that can be learned on a trunk port is 8192. Because
a trunk port can be associated with multiple bride domains, the default
limit is the same as the limit for MAC addresses learned on a logical
interface in a virtual switch instance (configured by including the interface-mac-limit limit statement at
the [edit routing-instances routing-instance-name switch- options interface interface-name] for a virtual switch instance).
The value you configure for a specific logical interface overrides
any value you specify for the entire bridge domain at the [edit
bridge-domains bridge-domain-name bridge-options] hierarchy level.
The default limit to the number of MAC addresses that can be learned on a logical interface is 1024. The range that you can configure for a specific logical interface is 1 through 131,071.
After the MAC address limit is reached, the default is
for any incoming packets with a new source MAC address to be forwarded.
You can specify that the packets be dropped by including the packet-action drop statement. To specify that packets be dropped
for the entire bridge domain, include the packet-action drop statement at the [edit bridge-domains bridge-domain-name bridge-options interface-mac-limit limit] hierarchy level:
[edit bridge-domains bridge-domain-name bridge-options interface-mac-limit limit] packet-action drop;
To specify that the packets be dropped for a specific
logical interface in a bridge domain, include the packet-action
drop statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name interface-mac-limit limit] hierarchy
level:
[edit bridge-domains bridge-domain-name bridge-options interface interface-name interface-mac-limit limit] packet-action drop;
The behavior is different for some configurations. For aggregated Ethernet interfaces and label-switched interfaces, the behavior is to learn all the new MAC addresses even when the limit has been reached. The excess addresses are later deleted. The learning limit does not apply to bridge domain trunk ports, because they have no counters for the individual domains, and those domains might have different MAC learning limits.
When static MAC addresses are configured, the learning limit is the configured limit minus the number of static addresses.
On MX Series routers running Junos OS Release 8.4 and later, statistics for an aged destination MAC entry are not retained. In addition, source and destination statistics are reset during a MAC move. In previous releases, only source statistics were reset during a MAC move.
You can also configure a limit to the number of MAC addresses learned for an MX Series router.
Configuring MAC Address Limits on a Logical Interface
You can configure a limit on the number of MAC addresses learned from a specific logical interface. This feature allows the MAC address table space to be distributed among different logical interfaces, thereby avoiding congestion. The MAC address limit can be applied for both VLAN and VPLS routing instances and by default the MAC limit depends on the profile configured. You can limit the number of MAC addresses learned for a bridge domain and a logical interface at the same time.
- Configuring MAC Address Limit
- Configuring MAC Address Limit for VLANs
- Configuring MAC Address Limit for VPLS
- CLI Commands to Configure MAC Address Limiting
Configuring MAC Address Limit
You can configure the MAC Address limit by using the set
protocols l2-learning global-no-hw-mac-learning CLI command.
On ACX Series routers, MAC address limiting is supported only on ACX5000 line of routers.
The following configuration example enables limiting MAC address learning on logical interfaces:
[edit protocols]
l2-learning {
global-no-hw-mac-learning;
}
You can configure a limit to the number of MAC addresses learned from the logical interfaces on an MX Series router.
To configure a limit to the total number of MAC addresses that can be learned from
the logical interfaces, include the global-mac-limit
limit statement at the [edit protocols
l2-learning] hierarchy level:
The default limit to the number of MAC addresses that can be learned the router as a whole is 393,215. The range that you can configure for the router as a whole is 20 through 1,048,575.
After the configured MAC address limit is reached, the default is for packets to be
forwarded. You can specify that the packets be dropped by including the
packet-action drop statement at the [edit protocols
l2-learning global-mac-limit] hierarchy level:
[edit]
protocols {
l2-learning {
global-mac-limit limit {
packet-action drop;
}
}
}Configuring MAC Address Limit for VLANs
To configure a limit for the number of MAC addresses learned
on each logical interface in a VLAN, include the interface-mac-limit limit statement at the [edit vlans vlan-name] hierarchy level. To limit the MAC addresses
learned on a specific logical interface of the VLAN, include the interface-mac-limit limit statement at
the [edit vlans vlan-name interface interface-name] hierarchy level. To limit the MAC
addresses learned on each of the logical interfaces of the VLAN, include
the interface-mac-limit limit statement
at the [edit vlans vlan-name switch-options] hierarchy level.
The following example configures a limit for the number of MAC addresses learned on a logical interface in a VLAN:
[edit vlans]
vlan10 {
interface ge-0/0/3.1;
interface ge-0/0/1.5;
switch-options {
interface-mac-limit {
10;
}
}
interface ge-0/0/1.5 {
interface-mac-limit {
20;
}
}
}
Configuring MAC Address Limit for VPLS
To configure a limit for the number of MAC addresses learned
on each logical interface in a VPLS routing instance, include the interface-mac-limit limit statement at
the [edit routing-instances routing-instance-name protocols vpls] hierarchy level. To limit the MAC addresses
learned on a specific logical interface of the VPLS instance, include
the interface-mac-limit limit statement
at the [edit routing-instances routing-instance-name protocols vpls interface interface-name] hierarchy level.
The following is an example to configure a limit for the number of MAC addresses learned on a logical interface in VPLS routing instance:
[edit routing-instance]
v1 {
protocols {
vpls {
interface-mac-limit {
10;
}
interface ge-0/0/1.3 {
interface-mac-limit {
20;
}
}
}
}
}
If you have configured an interface MAC address limit for the logical interface in a bridge domain and a global MAC address limit for a bridge domain, then the interface MAC address limit is considered. The following example shows two MAC address limits configured on the interface ge-0/0/3.5 with the global value as 50 and local value as 30. In this case, the MAC address limit of 30 is considered for the interface ge-0/0/3.5 in the bridge domain.
vlan20 {
interface ge-0/0/1.5;
interface ge-0/0/3.5;
switch-options {
interface-mac-limit {
50;
}
interface ge-0/0/1.5;
interface ge-0/0/3.5 {
interface-mac-limit {
30;
}
}
}
}
CLI Commands to Configure MAC Address Limiting
The following CLI commands are used for configuring MAC address limiting:
set protocols l2-learning global-no-hw-mac-learning—Command to change the hardware-based MAC learning to software-based MAC learning mode.set vlans vlan-name switch-options interface-mac-limit limit—Command to configure the MAC address limit for each logical interface in a VLAN. The limit is applied to all logical interfaces belonging to the VLAN for which a separate interface MAC address limit is not configured.set vlans vlan-name switch-options interface interface-name interface-mac-limit limit—Command to configure the interface MAC address limit for a logical interface in a VLAN. The limit is applied to a specific logical interface in the VLAN for which it is configured.set routing-instances routing-instance-name protocols vpls interface-mac-limit limit—Command to configure the MAC address limit for each logical interface in the VPLS routing instance. This limit is applied to all logical interfaces belonging to the VPLS for which a separate interface MAC address limit is not configured.set routing-instances routing-instance-name protocols vpls interface interface-name interface-mac-limit limit—Command to configure the interface MAC address limit for a logical interface in the VPLS. This limit is applied to a specific logical interface in the VPLS for which it is configured.
Enabling MAC Accounting for a Router or a Bridge Domain
By default, MAC accounting is disabled. On MX Series routers, you can enable packet accounting either for the router as a whole or for a specific bridge domain. After you enable packet accounting, the Junos OS maintains packet counters for each MAC address learned.
To enable MAC accounting for an MX Series router, include the
global-mac-statistics statement at the [edit protocols
l2-learning] hierarchy level:
[edit protocols l2-learning] global-mac-statistics;
To enable MAC accounting for a bridge domain, include
the mac-statistics statement at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:
[edit bridge-domains bridge-domain-name bridge-options] mac-statistics;
Disabling MAC Learning for a Bridge Domain or Logical Interface
You can disable MAC learning for all logical interfaces in a specified bridge domain, or for a specific logical interface in a bridge domain. Disabling dynamic MAC learning prevents the specified interfaces from learning source MAC addresses.
To disable MAC learning for all logical interfaces in
a bridge domain in a virtual switch, include the no-mac-learning statement at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:
[edit] bridge-domains { bridge-domain-name { domain-type bridge; interface interface-name; bridge-options { no-mac-learning; } } }
To disable MAC learning for a specific logical interface
in a bridge domain, include the no-mac-learning statement
at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] hierarchy level.
[edit] bridge-domains { bridge-domain-name { domain-type bridge; interface interface-name; bridge-options { interface interface-name { no-mac-learning; } } } }
When you disable MAC learning, source MAC addresses are not dynamically learned, and any packets sent to these source addresses are flooded into the bridge domain.
When you gather interfaces into a bridge domain, the no-mac-learn-enable statement at the [edit interfaces interface-name gigether-options ethernet-switch-profile] hierarchy level is not supported. You must use the no-mac-learning statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] hierarchy level to disable MAC learning on an interface in
a bridge domain.
When MAC learning is disabled for a VPLS routing instance, traffic is not load balanced and only one of the equal-cost next hops is used.
Configuring the MAC Table Timeout Interval
The MAC table aging process ensures that a router tracks only active MAC addresses on the network and is able to flush out address that are no longer used.
You can configure the MAC table aging time, the maximum time that an entry can remain in the MAC table before it “ages out,” on all bridge domains, one or all VPLS instances, or one or all Ethernet virtual private network (EVPNs) instances on the router. This configuration can influence efficiency of network resource use by affecting the amount of traffic that is flooded to all interfaces because when traffic is received for MAC addresses no longer in the Ethernet routing table, the router floods the traffic to all interfaces.
Depending on how long you want to keep a MAC address in a MAC table before it expires, you can either increase or decrease the aging timer. By default, the timeout interval for all entries in the MAC table is 300 seconds. You can modify the timeout interval for MAC table entries on an MX Series router. You cannot modify the timeout interval for a virtual switch.
The timeout interval applies only to dynamically learned MAC addresses. This value does not apply to configured static MAC addresses, which never time out.
The range for seconds is from 10 through 1,000,000.
You can modify the timeout interval for a router(at the global level) or on a per-domain basis (bridge domain).
Example: Loop Detection Using the MAC Move Approach
This example shows how to detect loops using the MAC move approach.
Requirements
This example requires the following hardware and software components:
MX Series 3D Universal Edge Routers
Junos OS Release 13.2 running on all the devices
Overview
When a MAC address appears on a different physical interface or within a different unit of the same physical interface and if this behavior occurs frequently, it is considered a MAC move.
Configuration errors at the network can force traffic into never
ending circular paths. Once there are loops in the Layer 2 network,
one of the symptoms is frequent MAC moves, which can be used for rectification
of the problem. When it is observed that a source MAC address is moving
among the ports, interface is blocked based on the configured action-priority for
the interface. If the action-priority value configured
for interfaces is the same, the last interface for the bridge domain
on which the MAC address move occurred is blocked.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit] hierarchy level.
set interfaces ge-1/0/4 vlan-tagging set interfaces ge-1/0/4 encapsulation flexible-ethernet-services set interfaces ge-1/0/4 unit 10 encapsulation vlan-bridge set interfaces ge-1/0/4 unit 10 vlan-id 10 set interfaces ge-1/0/4 unit 11 encapsulation vlan-bridge set interfaces ge-1/0/4 unit 11 vlan-id 11 set interfaces ge-1/0/5 unit 0 family bridge interface-mode trunk set interfaces ge-1/0/5 unit 0 family bridge vlan-id-list 10-12 set interfaces ge-1/0/6 unit 0 family bridge interface-mode trunk set interfaces ge-1/0/6 unit 0 family bridge vlan-id-list 10-12 set bridge-domains bd10 vlan-id 10 set bridge-domains bd10 enable-mac-move-action set bridge-domains bd10 bridge-options interface ge-1/0/5.0 action-priority 1 set bridge-domains bd10 bridge-options interface ge-1/0/6.0 action-priority 5 set bridge-domains bd11 vlan-id 11 set bridge-domains bd11 enable-mac-move-action set bridge-domains bd12 vlan-id 12
In the previous example, all the interfaces, including the trunk interfaces in bd10 and bd11 will be monitored. If there are frequent MAC moves detected within interfaces ge-1/0/5 and ge-1/0/6, interface ge-1/0/5 is blocked. The blocking for trunk interfaces is such that data traffic only for a VLAN (on which the MAC move is detected) will be blocked and not for all the VLANs in the trunk. No action will be taken if a frequent MAC move is observed in bd12.
Configuring Loop Detection Using the MAC Move Approach
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure loop detection using the MAC address move approach:
Configure the interfaces.
content_copy zoom_out_map[edit interfaces] user@host# set ge-1/0/4 vlan-tagging user@host# set ge-1/0/4 encapsulation flexible-ethernet-services user@host# set ge-1/0/4 unit 10 encapsulation vlan-bridge user@host# set ge-1/0/4 unit 10 vlan-id 10 user@host# set ge-1/0/4 unit 11 encapsulation vlan-bridge user@host# set ge-1/0/4 unit 11 vlan-id 11 user@host# set ge-1/0/5 unit 0 family bridge interface-mode trunk user@host# set ge-1/0/5 unit 0 family bridge vlan-id-list 10-12 user@host# set ge-1/0/6 unit 0 family bridge interface-mode trunk user@host# set ge-1/0/6 unit 0 family bridge vlan-id-list 10-12
Configure the bridge domain parameters.
content_copy zoom_out_map[edit bridge-domains] user@host# set bd10 vlan-id 10 user@host# set bd10 enable-mac-move-action user@host# set bd10 bridge-options interface ge-1/0/5.0 action-priority 1 user@host# set bd10 bridge-options interface ge-1/0/6.0 action-priority 5 user@host# set bd11 vlan-id 11 user@host# set bd11 enable-mac-move-action user@host# set bd12 vlan-id 12
Results
From configuration mode, confirm your configuration by entering show interfaces and show bridge-domains commands.
If the output does not display the intended configuration, repeat
the instructions in this example to correct the configuration.
user@host# show interfaces
ge-1/0/4 {
vlan-tagging;
encapsulation flexible-ethernet-services;
unit 10 {
encapsulation vlan-bridge;
vlan-id 10;
}
unit 11 {
encapsulation vlan-bridge;
vlan-id 11;
}
}
ge-1/0/5 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 10-12;
}
}
}
ge-1/0/6 {
unit 0 {
family bridge {
interface-mode trunk;
vlan-id-list 10-12;
}
}
}
user@host# show bridge-domains
bridge-domains {
bd10 {
vlan-id 10;
bridge-options {
interface ge-1/0/5.0 {
action-priority 1;
}
interface ge-1/0/6.0 {
action-priority 5
}
}
enable-mac-move-action;
}
bd11 {
vlan-id 11;
enable-mac-move-action;
}
bd12 {
vlan-id 12;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying That the Logical Interfaces Blocked Due to MAC Move Are Displayed
Purpose
Ensure that the current set of logical interfaces blocked due to a MAC move, if any, are displayed.
Action
From operational mode, enter the show l2-learning
mac-move-buffer active command.
user@host# show l2-learning mac-move-buffer active
MAC Address: 00:00:00:00:01:01, VLAN Id: 0
Time Rec : 2012-06-25 06:23:41 Bridge Domain: bd10
Prev IFL : ge-1/0/5.0 New IFL: ge-1/0/6.0
IFBD : ge-1/0/6.0:10 Blocked : YES Meaning
As a result of MAC move detection, one of the involved interface bridge domains will be blocked. The output shows that the ge-1/0/6 logical interface is blocked.
Preventing Communication Among Customer Edge Devices as ACX Routers
In a bridge domain, when a frame is received from a CE interface, it is flooded to the other CE interfaces and all of the provider edge (PE) interfaces if the destination MAC address is not learned or if the frame is either broadcast or multicast. If the destination MAC address is learned on another CE device, such a frame is unicasted to the CE interface on which the MAC address is learned. This might not be desirable if the service provider does not want CE devices to communicate with each other directly.
To prevent CE devices from communicating directly, include the no-local-switching statement at the [edit bridge-domains bridge-domain-name] hierarchy level. Configure the
logical interfaces in the bridge domain as core-facing (PE interfaces)
by including the core-facing statement at the [edit
interfaces interface-nameunit logical-unit-number family family] hierarchy level to specify
that the VLAN is physically connected to a core-facing ISP router
and ensures that the network does not improperly treat the interface
as a client interface. When specified, traffic from one CE interface
is not forwarded to another CE interface.
For the no-local-switching option , integrated routing
and bridging (IRB) configured on a bridge domain with this option
enabled is not treated as a designated CE or PE interface. Traffic
arriving from a CE or PE interface can navigate towards IRB and traffic
that reaches in the input direction to the IRB can pass out of a CE
or PE interface. The disabling of local switching achieves the functionality
of split-horizon in a bridge domain. If no-local-switching is configured
in a bridge domain, , then traffic cannot flow between CE and CE interfaces.
This stoppage of trafic flow includes known unicast and multicast,
unknown unicast and multicast, and broadcast traffic. However, traffic
continues to be transmitted between CE and PE interfaces, and PE and
PE interfaces..
