Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure MAC Address for Layer 2 Learning and Forwarding

Configuring Static MAC Addresses for Logical Interfaces in a Bridge Domain

You can manually add static MAC entries for the logical interfaces in a bridge domain. You can specify one or more static MAC addresses for each logical interface.

To add a static MAC address for a logical interface in a bridge domain, include the static-mac mac-address statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] hierarchy level.

You can optionally specify a VLAN identifier for the static MAC address by using the vlan-id statement. To specify a VLAN identifier for a static MAC address, you must use the all option when configuring a VLAN identifier for the bridge domain.

Note:

If a static MAC address you configure for a logical interface appears on a different logical interface, packets sent to that interface are dropped.

Configuring the Size of the MAC Address Table for a Bridge Domain

You can modify the size of the MAC address table for each bridge domain. The default table size is 5120 addresses. The minimum you can configure is 16 addresses, and the maximum is 1,048,575 addresses.

If the MAC table limit is reached, new addresses can no longer be added to the table. Unused MAC addresses are removed from the MAC address table automatically. This frees space in the table, allowing new entries to be added.

To modify the size of the MAC table, include the mac-table-size limit statement at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:

Limiting MAC Addresses Learned from an Interface in a Bridge Domain

You can configure a limit on the number of MAC addresses learned from a specific bridge domain or from a specific logical interface that belongs to a bridge domain.

To configure a limit for the number of MAC addresses learned from each logical interface in a bridge domain, include the interface-mac-limit limit statement at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:

To limit the number of MAC addresses learned from a specific logical interface in a bridge domain or an entire bridge domain, include the interface-mac-limit limit statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] or [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:

For an access port, the default limit on the maximum number of MAC addresses that can be learned on an access port is 1024. Because an access port can be configured in only one bridge domain in a network topology, the default limit is 1024 addresses, which is same as the limit for MAC addresses learned on a logical interface in a bridge domain (configured by including the interface-mac-limit limit statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] or [edit bridge-domains bridge-domain-name bridge-options] hierarchy level.

For a trunk port, the default limit on the maximum number of MAC addresses that can be learned on a trunk port is 8192. Because a trunk port can be associated with multiple bride domains, the default limit is the same as the limit for MAC addresses learned on a logical interface in a virtual switch instance (configured by including the interface-mac-limit limit statement at the [edit routing-instances routing-instance-name switch- options interface interface-name] for a virtual switch instance).

The value you configure for a specific logical interface overrides any value you specify for the entire bridge domain at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level.

The default limit to the number of MAC addresses that can be learned on a logical interface is 1024. The range that you can configure for a specific logical interface is 1 through 131,071.

After the MAC address limit is reached, the default is for any incoming packets with a new source MAC address to be forwarded. You can specify that the packets be dropped by including the packet-action drop statement. To specify that packets be dropped for the entire bridge domain, include the packet-action drop statement at the [edit bridge-domains bridge-domain-name bridge-options interface-mac-limit limit] hierarchy level:

To specify that the packets be dropped for a specific logical interface in a bridge domain, include the packet-action drop statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name interface-mac-limit limit] hierarchy level:

Note:

The behavior is different for some configurations. For aggregated Ethernet interfaces and label-switched interfaces, the behavior is to learn all the new MAC addresses even when the limit has been reached. The excess addresses are later deleted. The learning limit does not apply to bridge domain trunk ports, because they have no counters for the individual domains, and those domains might have different MAC learning limits.

Note:

When static MAC addresses are configured, the learning limit is the configured limit minus the number of static addresses.
Note:

On MX Series routers running Junos OS Release 8.4 and later, statistics for an aged destination MAC entry are not retained. In addition, source and destination statistics are reset during a MAC move. In previous releases, only source statistics were reset during a MAC move.

You can also configure a limit to the number of MAC addresses learned for an MX Series router.

Configuring MAC Address Limits on a Logical Interface

You can configure a limit on the number of MAC addresses learned from a specific logical interface. This feature allows the MAC address table space to be distributed among different logical interfaces, thereby avoiding congestion. The MAC address limit can be applied for both VLAN and VPLS routing instances and by default the MAC limit depends on the profile configured. You can limit the number of MAC addresses learned for a bridge domain and a logical interface at the same time.

Configuring MAC Address Limit

You can configure the MAC Address limit by using the set protocols l2-learning global-no-hw-mac-learning CLI command.

Note:

On ACX Series routers, MAC address limiting is supported only on ACX5000 line of routers.

The following configuration example enables limiting MAC address learning on logical interfaces:

You can configure a limit to the number of MAC addresses learned from the logical interfaces on an MX Series router.

To configure a limit to the total number of MAC addresses that can be learned from the logical interfaces, include the global-mac-limit limit statement at the [edit protocols l2-learning] hierarchy level:

The default limit to the number of MAC addresses that can be learned the router as a whole is 393,215. The range that you can configure for the router as a whole is 20 through 1,048,575.

After the configured MAC address limit is reached, the default is for packets to be forwarded. You can specify that the packets be dropped by including the packet-action drop statement at the [edit protocols l2-learning global-mac-limit] hierarchy level:

Configuring MAC Address Limit for VLANs

To configure a limit for the number of MAC addresses learned on each logical interface in a VLAN, include the interface-mac-limit limit statement at the [edit vlans vlan-name] hierarchy level. To limit the MAC addresses learned on a specific logical interface of the VLAN, include the interface-mac-limit limit statement at the [edit vlans vlan-name interface interface-name] hierarchy level. To limit the MAC addresses learned on each of the logical interfaces of the VLAN, include the interface-mac-limit limit statement at the [edit vlans vlan-name switch-options] hierarchy level.

The following example configures a limit for the number of MAC addresses learned on a logical interface in a VLAN:

Configuring MAC Address Limit for VPLS

To configure a limit for the number of MAC addresses learned on each logical interface in a VPLS routing instance, include the interface-mac-limit limit statement at the [edit routing-instances routing-instance-name protocols vpls] hierarchy level. To limit the MAC addresses learned on a specific logical interface of the VPLS instance, include the interface-mac-limit limit statement at the [edit routing-instances routing-instance-name protocols vpls interface interface-name] hierarchy level.

The following is an example to configure a limit for the number of MAC addresses learned on a logical interface in VPLS routing instance:

If you have configured an interface MAC address limit for the logical interface in a bridge domain and a global MAC address limit for a bridge domain, then the interface MAC address limit is considered. The following example shows two MAC address limits configured on the interface ge-0/0/3.5 with the global value as 50 and local value as 30. In this case, the MAC address limit of 30 is considered for the interface ge-0/0/3.5 in the bridge domain.

CLI Commands to Configure MAC Address Limiting

The following CLI commands are used for configuring MAC address limiting:

  • set protocols l2-learning global-no-hw-mac-learning—Command to change the hardware-based MAC learning to software-based MAC learning mode.

  • set vlans vlan-name switch-options interface-mac-limit limit—Command to configure the MAC address limit for each logical interface in a VLAN. The limit is applied to all logical interfaces belonging to the VLAN for which a separate interface MAC address limit is not configured.

  • set vlans vlan-name switch-options interface interface-name interface-mac-limit limit—Command to configure the interface MAC address limit for a logical interface in a VLAN. The limit is applied to a specific logical interface in the VLAN for which it is configured.

  • set routing-instances routing-instance-name protocols vpls interface-mac-limit limit—Command to configure the MAC address limit for each logical interface in the VPLS routing instance. This limit is applied to all logical interfaces belonging to the VPLS for which a separate interface MAC address limit is not configured.

  • set routing-instances routing-instance-name protocols vpls interface interface-name interface-mac-limit limit—Command to configure the interface MAC address limit for a logical interface in the VPLS. This limit is applied to a specific logical interface in the VPLS for which it is configured.

Enabling MAC Accounting for a Router or a Bridge Domain

By default, MAC accounting is disabled. On MX Series routers, you can enable packet accounting either for the router as a whole or for a specific bridge domain. After you enable packet accounting, the Junos OS maintains packet counters for each MAC address learned.

To enable MAC accounting for an MX Series router, include the global-mac-statistics statement at the [edit protocols l2-learning] hierarchy level:

To enable MAC accounting for a bridge domain, include the mac-statistics statement at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:

Disabling MAC Learning for a Bridge Domain or Logical Interface

You can disable MAC learning for all logical interfaces in a specified bridge domain, or for a specific logical interface in a bridge domain. Disabling dynamic MAC learning prevents the specified interfaces from learning source MAC addresses.

To disable MAC learning for all logical interfaces in a bridge domain in a virtual switch, include the no-mac-learning statement at the [edit bridge-domains bridge-domain-name bridge-options] hierarchy level:

To disable MAC learning for a specific logical interface in a bridge domain, include the no-mac-learning statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] hierarchy level.

Note:

When you disable MAC learning, source MAC addresses are not dynamically learned, and any packets sent to these source addresses are flooded into the bridge domain.

Note:

When you gather interfaces into a bridge domain, the no-mac-learn-enable statement at the [edit interfaces interface-name gigether-options ethernet-switch-profile] hierarchy level is not supported. You must use the no-mac-learning statement at the [edit bridge-domains bridge-domain-name bridge-options interface interface-name] hierarchy level to disable MAC learning on an interface in a bridge domain.

Note:

When MAC learning is disabled for a VPLS routing instance, traffic is not load balanced and only one of the equal-cost next hops is used.

Configuring the MAC Table Timeout Interval

The MAC table aging process ensures that a router tracks only active MAC addresses on the network and is able to flush out address that are no longer used.

You can configure the MAC table aging time, the maximum time that an entry can remain in the MAC table before it “ages out,” on all bridge domains, one or all VPLS instances, or one or all Ethernet virtual private network (EVPNs) instances on the router. This configuration can influence efficiency of network resource use by affecting the amount of traffic that is flooded to all interfaces because when traffic is received for MAC addresses no longer in the Ethernet routing table, the router floods the traffic to all interfaces.

Depending on how long you want to keep a MAC address in a MAC table before it expires, you can either increase or decrease the aging timer. By default, the timeout interval for all entries in the MAC table is 300 seconds. You can modify the timeout interval for MAC table entries on an MX Series router. You cannot modify the timeout interval for a virtual switch.

Note:

The timeout interval applies only to dynamically learned MAC addresses. This value does not apply to configured static MAC addresses, which never time out.

The range for seconds is from 10 through 1,000,000.

You can modify the timeout interval for a router(at the global level) or on a per-domain basis (bridge domain).

  • To modify the timeout interval for the MAC table for a router:
  • To modify the timeout interval for a bridge domain:
  • To modify the timeout for a VPLS or an Ethernet virtual private network (EVPN) instance within a bridge domain:

Example: Loop Detection Using the MAC Move Approach

This example shows how to detect loops using the MAC move approach.

Requirements

This example requires the following hardware and software components:

  • MX Series 3D Universal Edge Routers

  • Junos OS Release 13.2 running on all the devices

Overview

When a MAC address appears on a different physical interface or within a different unit of the same physical interface and if this behavior occurs frequently, it is considered a MAC move.

Configuration errors at the network can force traffic into never ending circular paths. Once there are loops in the Layer 2 network, one of the symptoms is frequent MAC moves, which can be used for rectification of the problem. When it is observed that a source MAC address is moving among the ports, interface is blocked based on the configured action-priority for the interface. If the action-priority value configured for interfaces is the same, the last interface for the bridge domain on which the MAC address move occurred is blocked.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

In the previous example, all the interfaces, including the trunk interfaces in bd10 and bd11 will be monitored. If there are frequent MAC moves detected within interfaces ge-1/0/5 and ge-1/0/6, interface ge-1/0/5 is blocked. The blocking for trunk interfaces is such that data traffic only for a VLAN (on which the MAC move is detected) will be blocked and not for all the VLANs in the trunk. No action will be taken if a frequent MAC move is observed in bd12.

Configuring Loop Detection Using the MAC Move Approach

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure loop detection using the MAC address move approach:

  1. Configure the interfaces.

  2. Configure the bridge domain parameters.

Results

From configuration mode, confirm your configuration by entering show interfaces and show bridge-domains commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying That the Logical Interfaces Blocked Due to MAC Move Are Displayed

Purpose

Ensure that the current set of logical interfaces blocked due to a MAC move, if any, are displayed.

Action

From operational mode, enter the show l2-learning mac-move-buffer active command.

Meaning

As a result of MAC move detection, one of the involved interface bridge domains will be blocked. The output shows that the ge-1/0/6 logical interface is blocked.

See Also

Preventing Communication Among Customer Edge Devices as ACX Routers

In a bridge domain, when a frame is received from a CE interface, it is flooded to the other CE interfaces and all of the provider edge (PE) interfaces if the destination MAC address is not learned or if the frame is either broadcast or multicast. If the destination MAC address is learned on another CE device, such a frame is unicasted to the CE interface on which the MAC address is learned. This might not be desirable if the service provider does not want CE devices to communicate with each other directly.

To prevent CE devices from communicating directly, include the no-local-switching statement at the [edit bridge-domains bridge-domain-name] hierarchy level. Configure the logical interfaces in the bridge domain as core-facing (PE interfaces) by including the core-facing statement at the [edit interfaces interface-nameunit logical-unit-number family family] hierarchy level to specify that the VLAN is physically connected to a core-facing ISP router and ensures that the network does not improperly treat the interface as a client interface. When specified, traffic from one CE interface is not forwarded to another CE interface.

For the no-local-switching option , integrated routing and bridging (IRB) configured on a bridge domain with this option enabled is not treated as a designated CE or PE interface. Traffic arriving from a CE or PE interface can navigate towards IRB and traffic that reaches in the input direction to the IRB can pass out of a CE or PE interface. The disabling of local switching achieves the functionality of split-horizon in a bridge domain. If no-local-switching is configured in a bridge domain, , then traffic cannot flow between CE and CE interfaces. This stoppage of trafic flow includes known unicast and multicast, unknown unicast and multicast, and broadcast traffic. However, traffic continues to be transmitted between CE and PE interfaces, and PE and PE interfaces..