Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Understanding MAC Limiting

 

MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). You enable this feature on interfaces (ports).

MAC limiting sets a limit on the number of MAC addresses that can be learned dynamically on a single Layer 2 access interface or on all the Layer 2 access interfaces on the services gateway.

You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses are treated as specified by the configuration.

Starting with Junos OS Release 18.2R1, on SRX4100 and SRX4200 Series devices, the maximum range of MAC addresses configured on the VLAN interface is changed from 1 through 16383 to 1 through 5120. The short description of interface-mac-limit at the CLI command hierarchy is changed from Maximum number of MAC addresses per interface (1..16383) to Maximum number of MAC addresses per interface (1..5120) at the [edit vlans vlan-name switch-options] hierarchy level. Prior to Junos OS 18.2R1 Release, if you configure with the 16383 value, commit operation fails during commit.

You can choose to have one of the following actions performed when the MAC addresses limit is exceeded:

Note

Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, the log, none, and shutdown actions are not supported.

  • drop—Drop the packet and generate an alarm, an SNMP trap, or a system log entry. This is the default.

  • log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

  • none—Take no action.

  • shutdown—Disable the interface and generate an alarm. If you have configured the services gateway with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout. If you have not configured the services gateway for autorecovery from port error disabled conditions, you can bring up the disabled interfaces with running the clear ethernet-switching recovery-timeout command.

Note

MAC limit is applied only to new MAC learning requests. If you already have 10 learned MAC addresses and you configure the limit as 5, all the MACs will remain in the forwarding database (FDB) table. When the learned MAC addresses age out (or are cleared by the user with the clear ethernet-switching command), they are not relearned.

MAC limiting does not apply to static MAC addresses. Users can configure any number of static MAC addresses independent of MAC limiting and all of them are added to FDB.

Note

Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, the maximum number of MAC addresses learned on all logical interfaces on the SRX1500 device is 24,575. When this limit is reached, incoming packets with a new source MAC address will be dropped.

Release History Table
Release
Description
Starting with Junos OS Release 18.2R1, on SRX4100 and SRX4200 Series devices, the maximum range of MAC addresses configured on the VLAN interface is changed from 1 through 16383 to 1 through 5120. The short description of interface-mac-limit at the CLI command hierarchy is changed from Maximum number of MAC addresses per interface (1..16383) to Maximum number of MAC addresses per interface (1..5120) at the [edit vlans vlan-name switch-options] hierarchy level. Prior to Junos OS 18.2R1 Release, if you configure with the 16383 value, commit operation fails during commit.
Starting in Junos OS Release 15.1X49-D40 and Junos OS Release 17.3R1, the log, none, and shutdown actions are not supported.