Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring MAC Limiting

Configuring MAC Limiting (ELS)

This topic describes the different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the device.

Note:

The tasks presented in this section uses Junos OS for EX Series switches, QFX3500 and QFX3600 switches, and PTX Series routers that support the Enhanced Layer 2 Software (ELS) configuration style. See Using the Enhanced Layer 2 Software CLI for more information about ELS configurations.

The different ways of setting a MAC limit are described in the following sections:

Limiting the Number of MAC Addresses Learned by an Interface

Note:

On PTX Series routers, you can limit the number of MAC addresses learned by an interface only.

To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface.

Set the MAC limit on an interface, and specify an action that the device takes after the specified limit is exceeded.
If you want to set the MAC limit on an interface that is part of the default routing instance:
If you want to set the MAC limit on an interface that is part of a routing instance:
If you want to set the MAC limit on all interfaces that are part of the default routing instance:
If you want to set the MAC limit on all interfaces that are part of a routing instance:

After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.

Limiting the Number of MAC Addresses Learned by a VLAN

To limit the number of MAC addresses learned by a VLAN, perform the following steps:

Set the maximum number of MAC addresses that can be learned by a VLAN, and specify an action that the device takes after the specified limit is exceeded:

Limiting the Number of MAC Addresses Learned by an Interface in a VLAN

To limit the number of MAC addresses learned by an interface in a VLAN, perform the following steps:

  1. Set the maximum number of MAC addresses that can be learned by an interface in a VLAN, and specify an action that the device takes after the specified limit is exceeded:
  2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the VLAN, and specify an action that the device takes after the specified limit is exceeded:
    Note:

    If you specify a MAC limit and packet action for all interfaces in the VLAN and a specific interface in the VLAN, the MAC limit and packet action specified at the specific interface level takes precedence. Also, at the VLAN interface level, only the drop and drop-and-log options are supported.

    After you set new MAC limits for a VLAN by using the mac-table-size statement or for interfaces associated with a VLAN by using the interface-mac-limit statement, the system clears the corresponding existing entries in the MAC address forwarding table.

    Note:

    On a QFX Series Virtual Chassis, if you include the shutdown option at the [edit vlans vlan-name switch-options interface interface-name interface-mac-limit packet-action] hierarchy level and issue the commit operation, the system generates a commit error. The system does not generate an error if you include the shutdown option at the [edit switch-options interface interface-name interface-mac-limit packet-action] hierarchy level.

Configuring MAC Limiting (non-ELS)

This task uses Junos OS for EX Series switches and QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style.

This topic describes various ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the switch.

Before you can change a MAC limit that was previously set for an interface or a VLAN, you must first clear existing entries in the MAC address forwarding table that correspond to the change you want to make. Thus, to change the limit on an interface, first clear the MAC address forwarding table entries for that interface. To change the limit on all interfaces and VLANs, clear all MAC address forwarding table entries. To change the limit on a VLAN, clear the MAC address forwarding table entries for that VLAN.

To clear MAC addresses from the forwarding table:

  • Clear MAC address entries from a specific interface (here, the interface is ge-0/0/1) in the forwarding table:

  • Clear all MAC address entries in the forwarding table:

  • Clear MAC address entries from a specific VLAN (here, the VLAN is vlan-abc):

The different ways of setting a MAC limit are described in the following sections:

Limiting the Number of MAC Addresses That Can be Learned on Interfaces

To configure MAC limiting for port security by setting a maximum number of MAC addresses that can be learned on interfaces.

  • Apply the MAC limit on a single interface (here, the interface is ge-0/0/1):

    When no action is specified for configuring the MAC limit on an interface, the device performs the default action drop if the limit is exceeded.

  • Apply the MAC limit on a single access interface, on the basis of its membership within a specific VLAN (here, the interface is ge-0/0/1 and the VLAN is v1.

    With this type of configuration, the device drops any additional packets if the limit is exceeded, and also logs a message.

  • Apply the limit to all access interfaces:

    When no action is specified for configuring the MAC limit on all interfaces, the device performs the default action drop if the limit is exceeded:

Specifying MAC Addresses That Are Allowed

You must clear existing entries in the MAC address forwarding table prior to changing the MAC address limit.

To configure MAC limiting for port security by specifying allowed MAC addresses:

  • On a single interface (here, the interface is ge-0/0/2):
  • On all interfaces:

Configuring MAC Limiting for VLANs

You must clear existing entries in the MAC address forwarding table before you can change the MAC address limit.

MAC limiting for a VLAN restricts the MAC addresses that can be learned for that VLAN, but does not drop the packet. Therefore, setting the MAC limit on a VLAN is not considered a port-security feature.

Note:

The configuration of specific allowed MAC addresses does not apply to VLANs.

To configure MAC limiting for a VLAN using the CLI:

Limit the number of dynamic MAC addresses on a VLAN:

If the MAC limit on a specific VLAN is exceeded, the device logs the MAC addresses of packets that cause the limit to be exceeded. No other action is possible.

Note:

When you are applying a MAC limit on a VLAN, do not set mac-limit to 1 for a VLAN composed of Routed VLAN Interfaces (RVIs) or a VLAN composed of aggregated Ethernet bundles using LACP. In these cases, setting the mac-limit to 1 prevents the device from learning MAC addresses other than the automatic addresses:

  • For RVIs, the first MAC address inserted into the forwarding database is the MAC address of the RVI.

  • For aggregated Ethernet bundles using LACP, the first MAC address inserted into the forwarding database in the forwarding table is the source address of the protocol packet.

If the VLAN is composed of regular access or trunk interfaces, you can set the mac-limit to 1 if you choose to do so.

See Also

Configuring MAC Limiting on MX Series Routers

This topic describes the different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by MX Series routers.

Limiting the Number of MAC Addresses Learned by an Interface

To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface.

MX Series routers support only the drop action. If the action is not specified, the router performs the default action drop if the limit is exceeded.

Set the MAC limit on an interface, and specify the action that the router takes after the specified limit is exceeded.
If you want to set the MAC limit on an interface that is part of the default routing instance:
If you want to set the MAC limit on an interface that is part of a routing instance:
If you want to set the MAC limit on all interfaces that are part of the default routing instance:
If you want to set the MAC limit on all interfaces that are part of a routing instance:

After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.

Limiting the Number of MAC Addresses Learned by a Bridge Domain

To limit the number of MAC addresses learned by a bridge domain, perform the following steps:

Set the maximum number of MAC addresses that can be learned by a bridge domain, and specify an action that the device takes after the specified limit is exceeded:

Limiting the Number of MAC Addresses Learned by an Interface in a Bridge Domain

To limit the number of MAC addresses learned by an interface in a bridge domain, perform the following steps:

  1. Set the maximum number of MAC addresses that can be learned by an interface in a bridge domain, and specify an action that the device takes after the specified limit is exceeded:
  2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the bridge domain, and specify an action that the device takes after the specified limit is exceeded:
    Note:

    If you specify a MAC limit and packet action for all interfaces in the bridge domain and a specific interface in the bridge domain, the MAC limit and packet action specified at the specific interface level takes precedence. Also, at the bridge domain interface level, only the drop option is supported.

Configuring MAC Limiting (J-Web Procedure)

MAC limiting protects against flooding of the Ethernet switching table on an EX Series switch. MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).

Junos OS provides two MAC limiting methods:

  • Maximum number of dynamic MAC addresses allowed per interface—If the limit is exceeded, incoming packets with new MAC addresses are dropped.

  • Specific “allowed” MAC addresses for the access interface—Any MAC address that is not in the list of configured addresses is not learned.

You configure MAC limiting for each interface, not for each VLAN. You can specify the maximum number of dynamic MAC addresses that can be learned on a single Layer 2 access interface or on all Layer 2 access interfaces. The default action that the switch will take if that maximum number is exceeded is drop—drop the packet and generate an alarm, an SNMP trap, or a system log entry.

To enable MAC limiting on one or more interfaces using the J-Web interface:

  1. Select Configure>Security>Port Security.
  2. Select one or more interfaces from the Interface List.
  3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
  4. To set a dynamic MAC limit:

    1. Type a limit value in the MAC Limit box.

    2. Select an action from the MAC Limit Action box (optional). The switch takes this action when the MAC limit is exceeded. If you do not select an action, the switch applies the default action, drop.

      • Log—Generate a system log entry.

      • Drop—Drop the packets and generate a system log entry. (Default)

      • Shutdown—Shut down the VLAN and generate a system log entry. You can mitigate the effect of this option by configuring the switch for autorecovery from the disabled state and specifying a disable timeout value.

      • None— No action to be taken.

  5. To add allowed MAC addresses:

    1. Click Add.

    2. Type the allowed MAC address and click OK.

    Repeat this step to add more allowed MAC addresses.

  6. Click OK when you have finished setting MAC limits.
  7. Click OK after the configuration has been successfully delivered.
Note:

You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), a message asking whether you want to enable port security appears.

See Also