Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding MAC Limiting and MAC Move Limiting

MAC limiting protects against flooding of the Ethernet switching table, and is enabled on Layer 2 interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on access interfaces. It is enabled on VLANs.

  • MAC limiting enhances port security by limiting the number of MAC addresses that can be learned within a VLAN. Limiting the number of MAC addresses protects the switch from flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). Flooding occurs when the number of new MAC addresses that are learned causes the Ethernet switching table to overflow, and previously learned MAC addresses are flushed from the table. The switch then reverts to flooding the previously-learned MAC addresses, which can impact performance and introduce security vulnerabilities.

  • MAC move limiting provides additional security by controlling the number of MAC address moves that are allowed in a VLAN within one second. A MAC address move occurs when the switch receives a packet with a source MAC address that has already been learned by the switch, but on a different interface. The Ethernet switching table is then updated to reflect the association of the MAC address with the new interface. Because the Ethernet switching table must be updated for each MAC address move, frequent move events can lead to exhaustion of the switch’s processing resources. This might occur as the result of a MAC spoofing attack or a loop in the network.

MAC Limiting

With MAC limiting, you limit the MAC addresses that can be learned on Layer 2 access interfaces by either limiting the number of MAC addresses or by specifying allowed MAC addresses:

  • Limiting the number of MAC addresses—You configure the maximum number of MAC addresses that can be dynamically learned (added to the Ethernet switching table) per interface. You can specify that incoming packets with new MAC addresses be ignored, dropped, or logged when the limit is exceeded. You can also specify that the interface be shut down or temporarily disabled.

    Note:

    Static MAC addresses do not count toward the limit you specify for dynamic MAC addresses.

  • Specifying allowed MAC addresses—You configure the allowed MAC addresses for an interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. An allowed MAC address is bound to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

MAC limiting is configured on Layer 2 interfaces. You can specify the maximum number of dynamic MAC addresses that can be learned on a single interface, all interfaces, or a specific interface on the basis of its membership within a VLAN (VLAN membership MAC limit).

When you are configuring the maximum MAC limit for an interface, you can choose the action that occurs on incoming packets when the MAC limit is exceeded. You can specify that incoming packets be ignored, dropped, or logged when the limit is exceeded. You can also specify that the interface be shut down or temporarily disabled.

MAC limiting is not enabled by default. For additional information about configuring MAC limit for an interface on a device that supports ELS, see Configuring MAC Limiting (ELS). For additional information about configuring MAC limit for an interface on a device that does not support Enhanced Layer 2 Software (ELS), see Configuring MAC Limiting (non-ELS).

See Using the Enhanced Layer 2 Software CLI for additional information on ELS.

MAC Move Limiting

With MAC move limiting, you limit the number of times a MAC address can move to a new interface within one second. When MAC move limiting is configured, MAC address movements are tracked by the switch. The first time a MAC address moves is always considered a good move and will not count toward the configured MAC move limit. Monitoring of MAC address moves comes into effect after the first move, even if the MAC move limit is configured as 1.

You configure MAC move limiting on a per-VLAN basis. Although you enable this feature on VLANs, the MAC move limit applies to the number of movements for each individual MAC address rather than the total number of MAC address moves in the VLAN. For example, if the MAC move limit is set to 1, the switch allows an unlimited number of MAC address movements within the VLAN as long as the same MAC address does not move more than once within a second.

You can configure an action to be taken if the MAC address move limit is exceeded. You can specify that incoming packets be ignored, dropped, or logged when the limit is exceeded. You can also specify that the interface be shut down or temporarily disabled.

MAC move limiting is not enabled by default. For additional information about configuring MAC move limiting on a device that does not support ELS, see Configuring MAC Move Limiting (non-ELS). For additional information about configuring MAC move limiting on a device that supports ELS, see Configuring MAC Move Limiting (ELS).

Actions for MAC Limiting and MAC Move Limiting

You can choose to have one of the following actions performed when the MAC limit or the MAC move limit is exceeded:

  • drop—Drop the packet, but do not generate an alarm.

  • drop-and-log—Drop the packet and generate an alarm, an SNMP trap, or system log entry.

  • log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

  • none—Forward packets with new source MAC addresses, and learn the new source MAC address.

  • shutdown—Disable the interface in the VLAN and generate an alarm, an SNMP trap, or a system log entry.

  • vlan-member-shutdown—(EX9200 only) Starting in Junos OS Release 15.1 for MAC Limiting and MAC Move Limiting on EX9200 Switches, the vlan-member-shutdown statement is supported to block an interface on the basis of its membership in a specific VLAN and generate an alarm, an SNMP trap, or a system log entry.

In the event of shutdown, you can configure the switch to automatically restore the disabled interfaces to service after a specified period of time. To configure autorecovery on a device that supports ELS, see Configuring Autorecovery for Port Security Events. To configure autorecovery on a device that does not support ELS, see Configuring Autorecovery for Port Security Events.

Note:

To view system log entries for mac limit features, you will need to configure system logging with severity as log notice. See Overview of System Logging.

Note:

If you do not configure the switch for autorecovery from the disabled condition, you can bring up the disabled interfaces by running one of the following commands:

Note:

With existing dot1x sessions:

  • When we set the MAC limit for the first time, existing dot1x sessions are cleared and port moves to Connecting state.

  • When we increase the MAC limit, sessions are not cleared and port remains in Authenticated state.

  • When we decrease the MAC limit or delete the switch-options configs, existing dot1x sessions are cleared and port moves to Connecting state.

In summary, when interface MAC limit configured is lower than the number of MACs learnt, MAC flush happens. When interface MAC limit configured is greater than the number of MACs learnt, there is no impact

Note:

Commit checks have been introduced to prevent misconfiguration. Only interfaces configured for L2 will be allowed to be configured under any of these hierarchies.

  • set routing-instances <routing-instance-name> vlans <vlans-name> switch-options interface <interface-name>

  • set routing-instances <routing-instance-name> bridge-domains <bridge-domain-name> bridge-options interface <interface-name>

  • set vlans <vlans-name> switch-options interface <interface-name>

  • set bridge-domains <bridge-domain-name> bridge-options interface <interface-name>

  • set vlans <vlans-name> switch-options mac-move-limit interface <interface-name>

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1
Starting in Junos OS Release 15.1 for MAC Limiting and MAC Move Limiting on EX9200 Switches, the vlan-member-shutdown statement is supported to block an interface on the basis of its membership in a specific VLAN and generate an alarm, an SNMP trap, or a system log entry.