Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Verifying That MAC Limiting Is Working Correctly

 

MAC limiting protects against flooding of the Ethernet switching table by setting a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).

Junos OS provides two MAC limiting methods:

  • Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses can be ignored, dropped, or logged. You can also specify that the interface be shut down or temporarily disabled.

  • Allowed MAC addresses—You configure specific “allowed” MAC addresses for the access interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. The allowed MAC method binds MAC addresses to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

This topic includes the following tasks:

Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly

Purpose

Verify that MAC limiting for dynamic MAC addresses is working.

Action

Display the MAC addresses that have been learned. The following sample output shows the results of sending two packets from hosts connected to xe-1:0/0/1 and five packets from hosts connected to xe-1:0/0/2, with both interfaces configured with a MAC limit of 4 and the action drop:

user@switch> show ethernet-switching table

Meaning

The output shows that the fifth packet received on the xe-1:0/0/2 interface was dropped because it exceeded the MAC limit for that interface. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.

Verifying That Allowed MAC Addresses Are Working Correctly

Purpose

Verify that allowed MAC addresses are working.

Action

Display the MAC cache information after allowed MAC addresses have been configured on an interface. The following sample shows the MAC cache after four allowed MAC addresses had been configured on interface xe-1:0/0/2 and a fifth MAC address appeared on the interface.

user@switch> show ethernet-switching table

Meaning

Because the fifth address was not allowed it was not learned, and an asterisk (*) rather than an address appears in the MAC address column in the last line of the sample output.

Verifying That Interfaces Are Shut Down

Purpose

Verify that an interface is shut down when the MAC limit is exceeded.

Action

For more information about interfaces that have been shut down because the MAC limit was exceeded, use the show ethernet-switching interfaces command.

user@switch> show ethernet-switching interfaces
Note

You can configure interfaces to recover automatically when the MAC limit has been exceeded by specifying the port-error-disable statement with a disable timeout value. The switch automatically restores the disabled interface to service when the disable timeout expires. The port-error-disable configuration does not apply to preexisting error conditions—it affects only error conditions that are detected after the port-error-disable statement has been enabled and the configuration has been committed. To clear a preexisting error condition and restore the interface to service, use the clear ethernet-switching port-error command.

Customizing the Ethernet Switching Table Display to View Information for a Specific Interface

Purpose

You can use the show ethernet-switching table command to view information for a specific interface.

Action

For example, to display the MAC addresses that have been learned on the xe-0/0/2 interface, enter:

user@switch> show ethernet-switching table interface xe-0/0/2.0

Meaning

The MAC limit value for the xe-0/0/2 interface had been set to 1, and the output shows that only one MAC address was learned and added to the MAC cache.