Verifying That MAC Limiting Is Working Correctly
MAC limiting protects against flooding of the Ethernet switching table by setting a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).
Junos OS provides two MAC limiting methods:
Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses can be ignored, dropped, or logged. You can also specify that the interface be shut down or temporarily disabled.
Allowed MAC addresses—You configure specific “allowed” MAC addresses for the access interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. The allowed MAC method binds MAC addresses to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.
This topic includes the following tasks:
Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly
Verify that MAC limiting for dynamic MAC addresses is working.
Display the MAC addresses that have been learned. The following sample output shows the results of sending two packets from hosts connected to xe-1:0/0/1 and five packets from hosts connected to xe-1:0/0/2, with both interfaces configured with a MAC limit of 4 and the action drop:
user@switch> show ethernet-switching table
Ethernet-switching table: 7 entries, 6 learned
VLAN MAC address Type Age Interfaces employee-vlan * Flood - xe-1:0/0/2.0 employee-vlan 00:05:85:3A:82:77 Learn 0 xe-1:0/0/1.0 employee-vlan 00:05:85:3A:82:79 Learn 0 xe-1:0/0/1.0 employee-vlan 00:05:85:3A:82:80 Learn 0 xe-1:0/0/2.0 employee-vlan 00:05:85:3A:82:81 Learn 0 xe-1:0/0/2.0 employee-vlan 00:05:85:3A:82:83 Learn 0 xe-1:0/0/2.0 employee-vlan 00:05:85:3A:82:85 Learn 0 xe-1:0/0/2.0
The output shows that the fifth packet received on the xe-1:0/0/2 interface was dropped because it exceeded the MAC limit for that interface. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.
Verifying That Allowed MAC Addresses Are Working Correctly
Verify that allowed MAC addresses are working.
Display the MAC cache information after allowed MAC addresses have been configured on an interface. The following sample shows the MAC cache after four allowed MAC addresses had been configured on interface xe-1:0/0/2 and a fifth MAC address appeared on the interface.
user@switch> show ethernet-switching table
Ethernet-switching table: 5 entries, 4 learned
VLAN MAC address Type Age Interfaces employee-vlan 00:05:85:3A:82:80 Learn 0 xe-1:0/0/2.0 employee-vlan 00:05:85:3A:82:81 Learn 0 xe-1:0/0/2.0 employee-vlan 00:05:85:3A:82:83 Learn 0 xe-1:0/0/2.0 employee-vlan 00:05:85:3A:82:85 Learn 0 xe-1:0/0/2.0 employee-vlan * Flood - xe-1:0/0/2.0
Because the fifth address was not allowed it was not learned, and an asterisk (*) rather than an address appears in the MAC address column in the last line of the sample output.
Verifying That Interfaces Are Shut Down
Verify that an interface is shut down when the MAC limit is exceeded.
For more information about interfaces that have been shut down because the MAC limit was exceeded, use the show ethernet-switching interfaces command.
user@switch> show ethernet-switching interfaces
Interface State VLAN members Tag Tagging Blocking bme0.32770 down mgmt untagged unblocked xe-0/0/0.0 down v1 untagged MAC limit exceeded xe- 0/0/1.0 up v1 untagged unblocked xe-0/0/2.0 up v1 untagged unblocked me0.0 up mgmt untagged unblocked
You can configure interfaces to recover automatically when the MAC limit has been exceeded by specifying the port-error-disable statement with a disable timeout value. The switch automatically restores the disabled interface to service when the disable timeout expires. The port-error-disable configuration does not apply to preexisting error conditions—it affects only error conditions that are detected after the port-error-disable statement has been enabled and the configuration has been committed. To clear a preexisting error condition and restore the interface to service, use the clear ethernet-switching port-error command.
Customizing the Ethernet Switching Table Display to View Information for a Specific Interface
You can use the show ethernet-switching table command to view information for a specific interface.
For example, to display the MAC addresses that have been learned on the xe-0/0/2 interface, enter:
user@switch> show ethernet-switching table interface xe-0/0/2.0
Ethernet-switching table: 1 unicast entries VLAN MAC address Type Age Interfaces v1 * Flood - All-members v1 00:00:06:00:00:00 Learn 0 xe-0/0/2.0
The MAC limit value for the xe-0/0/2 interface had been set to 1, and the output shows that only one MAC address was learned and added to the MAC cache.