ON THIS PAGE
MAC Addresses
Introduction to the Media Access Control (MAC) Layer 2 Sublayer
This topic provides an introduction to the MAC sublayer of the data link layer (Layer 2).
In Layer 2 of a network, the Media Access Control (MAC) sublayer provides addressing and channel access control mechanisms that enable several terminals or network nodes to communicate in a network.
The MAC sublayer acts as an interface between the logical link control (LLC) Ethernet sublayer and Layer 1 (the physical layer). The MAC sublayer emulates a full-duplex logical communication channel in a multipoint network. This channel may provide unicast, multicast, or broadcast communication service. The MAC sublayer uses MAC protocols to prevent collisions.
In Layer 2, multiple devices on the same physical link can uniquely identify one another at the data link layer, by using the MAC addresses that are assigned to all ports on a switch. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC address.
A MAC address is a 12-digit hexadecimal number (48 bits in long). MAC addresses are usually written in one of these formats:
MM:MM:MM:SS:SS:SS
MM-MM-MM-SS-SS-SS
The first half of a MAC address contains the ID number of the adapter manufacturer. These IDs are regulated by an Internet standards body. The second half of a MAC address represents the serial number assigned to the adapter by the manufacturer.
Contrast MAC addressing, which works at Layer 2, with IP addressing, which runs at Layer 3 (networking and routing). One way to remember the difference is that the MAC addresses apply to a physical or virtual node, whereas IP addresses apply to the software implementation of that node. MAC addresses are typically fixed on a per-node basis, whereas IP addresses change when the node moves from one part of the network to another.
IP networks maintain a mapping between the IP and MAC addresses of a node using the Address Resolution Protocol (ARP) table. DHCP also typically uses MAC addresses when assigning IP addresses to nodes.
See Also
Understanding MAC Address Assignment on an EX Series Switch
This topic describes MAC address assignment for interfaces on standalone Juniper Networks EX Series Ethernet Switches. For information regarding MAC address assignments in a Virtual Chassis, see Understanding MAC Address Assignment on a Virtual Chassis.
MAC addresses are used to identify network devices at Layer 2. Because all Layer 2 traffic decisions are based on an interface’s MAC address, understanding MAC address assignment is important to understanding how network traffic is forwarded and received by the switch. For additional information on how a network uses MAC addresses to forward and receive traffic, see Understanding Bridging and VLANs on Switches.
A MAC address comprises six groups of two hexadecimal digits, with each group separated from the next group by a colon—for instance, aa:bb:cc:dd:ee:00. The first five groups of hexadecimal digits are derived from the switch and are the same for all interfaces on the switch.
The assignment of a unique MAC address to each network interface helps ensure that functions that require MAC address differentiation—such as redundant trunk groups (RTGs), Link Aggregation Control Protocol (LACP), and general monitoring functions—can properly function.
On switches that use line cards, this MAC addressing scheme differentiates the Layer 2 interfaces on different line cards in the switch.
For EX Series switches, the first five groups of hexadecimal digits are determined when the switch is manufactured. The switch then assigns a unique MAC address to each interface by assigning a unique identifier as the last group of hexadecimal digits. The assignment depends on how the interface is configured. The switch uses a different pattern to distinguish between an interface that is configured as any of a routed VLAN interface (RVI), a virtual management Ethernet (VME) interface, or an aggregated Ethernet interface or is not configured as any of an RVI, a VME, or as an aggregated Ethernet interface.
For aggregated Ethernet interfaces, the MAC address assignment remains constant regardless of whether the configuration of the interface is Layer 2 or Layer 3.
In Junos OS Release 11.3 and later releases through Release 12.1, the MAC address assignment for aggregated Ethernet interfaces changes if the interface is changed from Layer 2 to Layer 3 or the reverse. Starting with Junos Release 12.2, the MAC address assignment for aggregated Ethernet interfaces remains constant regardless of whether the interface is Layer 2 or Layer 3.
Prior to Junos OS Release 11.3, MAC addresses for Layer 2 interfaces could be shared between interfaces and RVIs on different line cards in the same switch. However, if you upgrade from Junos OS Release 11.2 or earlier to Junos OS Release 11.3 or later on a switch that supports line cards, the MAC addresses of these interfaces will change.
MAC addresses are assigned to interfaces automatically—no
user configuration is possible or required. You can view MAC addresses
assigned to interfaces using the show interfaces command.
See Also
Configuring MAC Move Parameters
When a MAC address appears on a different physical interface
or within a different unit of the same physical interface and this
behavior occurs frequently, it is considered a MAC move. You can configure
the router to report a MAC address move based on the following parameters:
the number of times a MAC address move occurs, a specified period
of time over which the MAC address move occurs, and specified number
of times a MAC address move occurs in one second. You can only configure
the global-mac-move statement at the global hierarchy level.
To globally disable the MAC move action feature, include the disable-action statement at the [edit protocols l2-learning
global-mac-move]. This disables the MAC move action feature,
while MAC move detection exists.
To configure the time duration after which the port will be
unblocked, include the reopen-time statement at the [edit protocols l2-learning global-mac-move]. The default reopen
timer is 180 second.
To configure MAC address move reporting if the MAC address moves
at least a specified number of times in one second, include the threshold-time statement at the [edit protocols l2-learning
global-mac-move] hierarchy level. The default threshold time
is 1 second.
To configure reporting of a MAC address move if the MAC address
moves for a specified period of time, include the notification-time statement at the [edit protocols l2-learning global-mac-move] hierarchy level. The default notification timer is 1 second.
To configure reporting of a MAC address move if the MAC address
moves a specified number of times, include the threshold-count statement at the [edit protocols l2-learning global-mac-move] hierarchy level. The default threshold count is 50 moves.
Use the show l2-learning mac-move-buffer command
to view the actions as a result of MAC address move feature.
Use the show l2-learning mac-move-buffer active command
to view the set of IFLs blocked as a result of MAC move action.
Use the exclusive-mac command exclude a MAC address
from the MAC move limit algorithm, preventing a MAC address from being
tracked.
Use the clear l2-learning mac-move-buffer active command
to unblock the IFBDs that were blocked by MAC move action feature.
This allows the user to keep the reopen-time configured
to a large value, but when the looping error is fixed, user can manually
release the blocking.
The following example sets the notification time for MAC moves to 1 second, the threshold time to 1 second, reopen-time to 180 seconds and the threshold count to 50 moves.
[edit protocols l2-learning]
global-mac-move {
notification-time 1;
reopen-time 180;
threshold-count 50;
threshold-time 1;
}
Configuring MAC Limiting (ELS)
This topic describes the different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the device.
The tasks presented in this section uses Junos OS for EX Series switches, QFX3500 and QFX3600 switches, and PTX Series routers that support the Enhanced Layer 2 Software (ELS) configuration style. See Using the Enhanced Layer 2 Software CLI for more information about ELS configurations.
-
For information on configuring an interface to automatically recover from a shutdown caused by MAC limiting, see Configuring Autorecovery for Port Security Events. If you do not configure the device for autorecovery from the disabled condition, you can bring up the disabled interfaces by running the
clear ethernet-switching recovery-timeoutcommand.
The different ways of setting a MAC limit are described in the following sections:
- Limiting the Number of MAC Addresses Learned by an Interface
- Limiting the Number of MAC Addresses Learned by a VLAN
- Limiting the Number of MAC Addresses Learned by an Interface in a VLAN
Limiting the Number of MAC Addresses Learned by an Interface
On PTX Series routers, you can limit the number of MAC addresses learned by an interface only.
To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface.
[edit switch-options] user@switch# set interface interface-name interface-mac-limit limit packet-action action
[edit routing-instances] user@switch# set routing-instance-name switch-options interface interface-name interface-mac-limit limit
[edit switch-options] user@switch# set interface-mac-limit limit
[edit routing-instances] user@switch# set routing-instance-name switch-options interface-mac-limit limit
After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.
Limiting the Number of MAC Addresses Learned by a VLAN
To limit the number of MAC addresses learned by a VLAN, perform the following steps:
[edit vlans] user@switch# set vlan-name switch-options mac-table-size limit packet-action action
Limiting the Number of MAC Addresses Learned by an Interface in a VLAN
To limit the number of MAC addresses learned by an interface in a VLAN, perform the following steps:
Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELS Support
This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table. For ELS details, see Using the Enhanced Layer 2 Software CLI.
The Ethernet switching table, also known as the forwarding table, specifies the known locations of VLAN nodes and the addresses of devices within those nodes. There are two ways to populate the Ethernet switching table on a switch. The easiest method is to let the switch update the table with MAC addresses.
The second way to populate the Ethernet switching table is to manually insert addresses into the table. You can do this to reduce flooding and speed up the switch’s automatic learning process.
Before configuring a static MAC address, be sure that you have:
Set up the VLAN. See Configuring VLANs for EX Series Switches with ELS Support (CLI Procedure).
To configure an interface to have a static MAC address:
[edit vlans vlan-name switch-options interface interface-name] user@switch# set static-mac mac-address
Adding a Static MAC Address Entry to the Ethernet Switching Table
This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELS Support. For ELS details, see Using the Enhanced Layer 2 Software CLI.
The Ethernet switching table, also known as the forwarding table, specifies the known locations of VLAN nodes. There are two ways to populate the Ethernet switching table on a switch. The easiest method is to let the switch update the table with MAC addresses.
The second way to populate the Ethernet switching table is to manually insert a VLAN node location into the table. You can do this to reduce flooding and speed up the switch’s automatic learning process. To further optimize the switching process, indicate the next hop (next interface) packets will use after leaving the node.
Before configuring a static MAC address, be sure that you have:
Set up the VLAN. See Configuring VLANs for EX Series Switches orConfiguring VLANs on Switches.
To add a MAC address to the Ethernet switching table:
Specify the MAC address to add to the table:
[edit ethernet-switching-options] set static vlan vlan-name mac mac-address
Indicate the next hop MAC address for packets sent to the indicated MAC address:
[edit ethernet-switching-options] set static vlan vlan-name mac mac-address next-hop interface
Example: Configuring the Default Learning for Unknown MAC Addresses
This example shows how to configure the device to use only ARP requests to learn the outgoing interfaces for unknown destination MAC addresses.
Requirements
Before you begin, determine the MAC addresses and associated interfaces of the forwarding table. See Layer 2 Learning and Forwarding for VLANs Overview.
Overview
In this example, you configure the device to use only ARP queries without traceroute requests.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security flow ethernet-switching no-packet-flooding no-trace-route
Step-by-Step Procedure
To configure the device to use only ARP requests to learn unknown destination MAC addresses:
Enable the device.
[edit] user@host# set security flow ethernet-switching no-packet-flooding no-trace-route
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security flow command.