IN THIS PAGE
Example: Configuring MAC Limiting on a Security Device
This example shows how to configure port security features by setting a MAC limit of 5.
Requirements
Before you begin, verify that the interfaces that will be used are in switch mode. See Example: Configuring Switching Modes on Security Devices and Understanding Switching Modes on Security Devices.
Overview
MAC limiting protects against flooding of the Ethernet switching table on the SRX Series Services Gateways. MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).
This example shows how to configure port security features by setting a MAC limit of 5.
CLI Quick Configuration
To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
[edit]
set switch-options interface
ge-0/0/1 interface-mac-limit 5
set interface ge–0/0/2 ether-options source-address-filter
00:00:5E:00:AA
set interface
ge–0/0/2 ether-options source-address-filter 00:00:5E:00:AB
set interface ge–0/0/2 ether-options
source-address-filter 00:00:5E:00:ACConfiguration
Step-by-Step Procedure
The action is not specified, so that the device performs the default action drop if the limit is exceeded:
- On a single interface (here, the interface is ge-0/0/1):[edit switch-options]user@host# set switch-options interface ge-0/0/1 interface-mac-limit 5
- For specifying specific MAC addresses:
On a single interface (here, the interface is ge-0/0/2):
[edit interfaces ether-options source-address-filter ]user@host# set interface ge–0/0/2 ether-options source-address-filter 00:00:5E:00:AAuser@host# set interface ge–0/0/2 ether-options source-address-filter 00:00:5E:00:ABuser@host# set interface ge–0/0/2 ether-options source-address-filter 00:00:5E:00:AC
- Enter commit from configuration mode.
Verification
Verifying That MAC Limiting Is Working Correctly on the Services Gateway
Purpose
Verify that MAC limiting is working on the services gateway.
Action
Display the learned MAC addresses. The following sample output shows the results when two packets were sent from hosts on ge-0/0/1 and five packets requests were sent from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the action drop:
user@host> show ethernet-switching table Ethernet-switching table: 7 entries, 6 learned VLAN MAC address Type Age Interfaces employee-vlan * Flood - ge-0/0/2.0 employee-vlan 00:00:5E:00:00 Learn 0 ge-0/0/1.0 employee-vlan 00:00:5E:00:AA Learn 0 ge-0/0/1.0 employee-vlan 00:00:5E:00:AB Learn 0 ge-0/0/2.0 employee-vlan 00:00:5E:00:AC Learn 0 ge-0/0/2.0 employee-vlan 00:00:5E:00:AD Learn 0 ge-0/0/2.0 employee-vlan 00:00:5E:00:AE Learn 0 ge-0/0/2.0
Meaning
The sample output shows that with a MAC limit of 4 for each interface, the packet for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.