ON THIS PAGE
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
Verifying That MAC Limiting for a Specific Interface Within a Specific VLAN Is Working Correctly
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface
Verifying That MAC Limiting Is Working Correctly
MAC limiting protects against flooding of the Ethernet switching table by setting a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port)..
Junos OS provides two methods for MAC limiting for port security:
-
Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses can be ignored, dropped, or logged. You can also specify that the interface be shut down or temporarily disabled.
-
Allowed MAC addresses—You configure specific “allowed” MAC addresses for the access interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. The allowed MAC method binds MAC addresses to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.
Junos OS also allows you to set a MAC limit on VLANs. However, setting a MAC limit on VLANs is not considered a port security feature, because the switch does not prevent incoming packets that cause the MAC limit to be exceeded from being forwarded; it only logs the MAC addresses of these packets.
The information in this topic is for non-ELS platforms. For ELS platforms, refer Configuring MAC Limiting (ELS) to read on MAC limiting.
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
Purpose
Verify that MAC limiting for dynamic MAC addresses is working on the switch.
Action
Display the MAC addresses that have been learned. The following sample output shows the results when two packets were sent from hosts on ge-0/0/1 and five packets requests were sent from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the default action drop:
user@switch> show ethernet-switching table Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type Age Interfaces employee-vlan * Flood - ge-0/0/2.0 employee-vlan 00:05:85:3A:82:77 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:79 Learn 0 ge-0/0/1.0 employee-vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0
Meaning
The sample output shows that with a MAC limit of 4 for each interface, the packet for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.
Verifying That MAC Limiting for a Specific Interface Within a Specific VLAN Is Working Correctly
Purpose
Verify that MAC limiting for a specific interface based on its membership within a specific VLAN is working on the switch.
Action
Display the detailed statistics for MAC addresses that have been learned:
user@switch> show ethernet-switching statistics mac-learning interface ge-0/0/28 detail
Interface: ge-0/0/28.0
Learning message from local packets: 0
Learning message from transit packets: 5
Learning message with error: 0
Invalid VLAN: 0 Invalid MAC: 0
Security violation: 0 Interface down: 0
Incorrect membership: 0 Interface limit: 0
MAC move limit: 0 VLAN limit: 0
VLAN membership limit: 20
Invalid VLAN index: 0 Interface not learning: 0
No nexthop: 0 MAC learning disabled: 0
Others: 0
Meaning
The VLAN membership limit shows the number of packets that were dropped
because of the VLAN membership MAC limit for interface ge-0/0/28.0 was exceeded. In this
case, 20 packets were dropped.
Verifying That Allowed MAC Addresses Are Working Correctly
Purpose
Verify that allowed MAC addresses are working on the switch.
Action
Display the MAC address cache information after allowed MAC addresses have been configured on an interface. The following sample shows the MAC address cache after 5 allowed MAC addresses were on interface ge-0/0/2. In this instance, the interface was also set to a dynamic MAC limit of 4 with the default action drop.
user@switch> show ethernet-switching table Ethernet-switching table: 5 entries, 4 learned VLAN MAC address Type Age Interfaces employee-vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0 employee-vlan 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0 employee-vlan * Flood - ge-0/0/2.0
Meaning
Because the MAC limit value for this interface was set to 4, only four of the five configured allowed addresses were learned and thus added to the MAC address cache. Because the fifth address was not learned, an asterisk (*) rather than an address appears in the MAC address column in the last line of the sample output.
Verifying Results of Various Action Settings When the MAC Limit Is Exceeded
Purpose
Verify the results provided by the various action settings for MAC limits—drop, log, shutdown and none—when the limits are exceeded.
Action
Display the results of the various action settings.
You can view log messages by using the show log messages command. You
can also have the log messages displayed by configuring the monitor start messages with
the monitor start messages command.
-
drop action—For MAC limiting configured with a drop action and with the MAC limit set to 5:
user@switch> show ethernet-switching table Ethernet-switching table: 6 entries, 5 learned VLAN MAC address Type Age Interfaces employee—vlan * Flood - ge-0/0/2.0 employee—vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:88 Learn 0 ge-0/0/2.0
-
log action—For MAC limiting configured with a log action and with MAC limit set to 5:
user@switch> show ethernet-switching table Ethernet-switching table: 74 entries, 73 learned VLAN MAC address Type Age Interfaces employee—vlan * Flood - ge-0/0/2.0 employee—vlan 00:05:85:3A:82:80 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:81 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:82 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:83 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:84 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:85 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:87 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:88 Learn 0 ge-0/0/2.0 . . .
-
shutdown action—For MAC limiting configured with a shutdown action and with MAC limit set to 3:
user@switch> show ethernet-switching table Ethernet-switching table: 4 entries, 3 learned VLAN MAC address Type Age Interfaces employee—vlan * Flood - ge-0/0/2.0 employee—vlan 00:05:85:3A:82:82 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:84 Learn 0 ge-0/0/2.0 employee—vlan 00:05:85:3A:82:87 Learn 0 ge-0/0/2.0
-
none action—If you set a MAC limit to apply to all interfaces on the switch, you can override that setting for a particular interface by specifying this action for that interface. See Override a MAC Limit Applied to All Interfaces.
Meaning
For the drop action results—The sixth MAC address exceeded the MAC limit. The request packet for that address was dropped. Only five MAC addresses have been learned on ge-0/0/2.
For the log action results—The sixth MAC address exceeded the MAC limit. No MAC addresses were blocked.
For the shutdown action results—The fourth MAC address exceeded the MAC limit. Only three MAC addresses have been learned on ge-0/0/2. The interface ge-0/0/1 is shut down.
For more information about interfaces that have been shut down, use the show
ethernet-switching interfaces command.
user@switch> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking bme0.32770 down mgmt untagged unblocked ge-1/0/0.0 down v1 untagged MAC limit exceeded ge-1/0/1.0 up v1 untagged unblocked ge-1/0/2.0 up v1 untagged unblocked me0.0 up mgmt untagged unblocked
You can configure the switch to recover automatically from this type of error condition
by specifying the port-error-disable statement with a
disable timeout value. The switch automatically restores the
disabled interface to service when the disable timeout expires. The
port-error-disable configuration does not apply to already
existing error conditions. It impacts only error conditions that are detected after
port-error-disable has been enabled and committed. To clear an
already existing error condition and restore the interface to service, use the
clear ethernet-switching port-error
command.
Verifying That Interfaces Are Shut Down
Purpose
Verify that an interface is shut down when the MAC limit is exceeded.
Action
For more information about interfaces that have been shut down because the MAC limit was
exceeded, use the show ethernet-switching interfaces command.
user@switch> show ethernet-switching interfaces Interface State VLAN members Tag Tagging Blocking bme0.32770 down mgmt untagged unblocked xe-0/0/0.0 down v1 untagged MAC limit exceeded xe- 0/0/1.0 up v1 untagged unblocked xe-0/0/2.0 up v1 untagged unblocked me0.0 up mgmt untagged unblocked
You can configure interfaces to recover automatically when the MAC limit has been
exceeded by specifying the port-error-disable statement with a
disable timeout value. The switch automatically restores the
disabled interface to service when the disable timeout expires. The
port-error-disable configuration does not apply to preexisting
error conditions—it affects only error conditions that are detected after the
port-error-disable statement has been enabled and the configuration
has been committed. To clear a preexisting error condition and restore the interface to
service, use the
clear ethernet-switching port-error
command.
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface
Purpose
You can use the show ethernet-switching table command to view
information about the MAC addresses learned on a specific interface.
Action
For example, to display the MAC addresses learned on ge-0/0/2 interface, type:
user@switch> show ethernet-switching table interface ge-0/0/2.0 Ethernet-switching table: 1 unicast entries VLAN MAC address Type Age Interfaces v1 * Flood - All-members v1 00:00:06:00:00:00 Learn 0 ge-2/0/0.0
Meaning
The MAC limit value for ge-0/0/2 was set to 1, and the output shows that only one MAC address was learned and thus added to the MAC address cache. An asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.