Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring MAC Limiting

 

Configuring MAC Limiting (ELS)

This topic describes different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the switch.

Note

The tasks presented in the first section uses Junos OS for EX Series switches and QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style. See Using the Enhanced Layer 2 Software CLI for more information about ELS configurations.

The different ways of setting a MAC limit are described in the following sections:

Limiting the Number of MAC Addresses Learned by an Interface

To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface:

  • Set the MAC limit on an interface, and specify an action that the switch takes after the specified limit is exceeded:
    [edit switch-options]

    user@switch# set interface interface-name interface-mac-limit limit packet-action action

    After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.

Limiting the Number of MAC Addresses Learned by a VLAN

To limit the number of MAC addresses learned by a VLAN, perform both of the following steps:

  1. Set the maximum number of MAC addresses that can be learned by a VLAN, and specify an action that the switch takes after the specified limit is exceeded:
    [edit vlans]

    user@switch# set vlan-name switch-options mac-table-size limit packet-action action
  2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the VLAN, and specify an action that the switch takes after the specified limit is exceeded:Note

    If you specify a MAC limit and packet action for all interfaces in the VLAN and a specific interface in the VLAN, the MAC limit and packet action specified at the specific interface level takes precedence. Also, at the VLAN interface level, only the drop and drop-and-log options are supported.

    [edit vlans]

    user@switch# set vlan-name switch-options interface interface-name interface-mac-limit limit packet-action action
    [edit vlans]

    user@switch# set vlan-name switch-options interface-mac-limit limit packet-action action

    After you set new MAC limits for a VLAN by using the mac-table-size statement or for interfaces associated with a VLAN by using the interface-mac-limit statement, the system clears the corresponding existing entries in the MAC address forwarding table.

    Note

    On a QFX Series Virtual Chassis, if you include the shutdown option at the [edit vlans vlan-name switch-options interface interface-name interface-mac-limit packet-action] hierarchy level and issue the commit operation, the system generates a commit error. The system does not generate an error if you include the shutdown option at the [edit switch-options interface interface-name interface-mac-limit packet-action] hierarchy level.

Configuring MAC Limiting (non-ELS)

This task uses Junos OS for EX Series switches and QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Configuring MAC Limiting (ELS). For ELS details, see Using the Enhanced Layer 2 Software CLI.

This topic describes various ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the switch.

Before you can change a MAC limit that was previously set for an interface or a VLAN, you must first clear existing entries in the MAC address forwarding table that correspond to the change you want to make. Thus, to change the limit on an interface, first clear the MAC address forwarding table entries for that interface. To change the limit on all interfaces and VLANs, clear all MAC address forwarding table entries. To change the limit on a VLAN, clear the MAC address forwarding table entries for that VLAN.

To clear MAC addresses from the forwarding table:

  • Clear MAC address entries from a specific interface (here, the interface is ge-0/0/1) in the forwarding table:
    user@switch> clear ethernet-switching-table interface ge-0/0/1
  • Clear all MAC address entries in the forwarding table:
    user@switch>clear ethernet-switching-table
  • Clear MAC address entries from a specific VLAN (here, the VLAN is vlan-abc):
    user@switch> clear ethernet-switching-table vlan vlan-abc

The different ways of setting a MAC limit are described in the following sections:

Limiting the Number of MAC Addresses That Can be Learned on Interfaces

To configure MAC limiting for port security by setting a maximum number of MAC addresses that can be learned on interfaces.

  • Apply the MAC limit on a single interface (here, the interface is ge-0/0/1):
    [edit ethernet-switching-options secure-access-port]

    user@switch# set interface ge-0/0/1 mac-limit 10

    When no action is specified for configuring the MAC limit on an interface, the switch performs the default action drop if the limit is exceeded.

  • Apply the MAC limit on a single access interface, on the basis of its membership within a specific VLAN (here, the interface is ge-0/0/1 and the VLAN is v1.
    [edit ethernet-switching-options secure-access-port]

    user@switch# set interface ge–0/0/1 vlan v1 mac-limit 5

    With this type of configuration, the switch drops any additional packets if the limit is exceeded, and also logs a message.

  • Apply the limit to all access interfaces:
    [edit ethernet-switching-options secure-access-port]

    user@switch# set interface all mac-limit 10

    When no action is specified for configuring the MAC limit on all interfaces, the switch performs the default action drop if the limit is exceeded:

Specifying MAC Addresses That Are Allowed

You must clear existing entries in the MAC address forwarding table prior to changing the MAC address limit.

To configure MAC limiting for port security by specifying allowed MAC addresses:

  • On a single interface (here, the interface is ge-0/0/2):
    [edit ethernet-switching-options secure-access-port]

    user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:80

    user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:81

    user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:83

  • On all interfaces:
    [edit ethernet-switching-options secure-access-port]

    user@switch#set interface all allowed-mac 00:05:85:3A:82:80

    user@switch#set interface all allowed-mac 00:05:85:3A:82:81

    user@switch#set interface all allowed-mac 00:05:85:3A:82:83

Configuring MAC Limiting for VLANs

You must clear existing entries in the MAC address forwarding table before you can change the MAC address limit.

MAC limiting for a VLAN restricts the MAC addresses that can be learned for that VLAN, but does not drop the packet. Therefore, setting the MAC limit on a VLAN is not considered a port-security feature.

Note

The configuration of specific allowed MAC addresses does not apply to VLANs.

To configure MAC limiting for a VLAN using the CLI:

  • Limit the number of dynamic MAC addresses on a VLAN:

    If the MAC limit on a specific VLAN is exceeded, the switch logs the MAC addresses of packets that cause the limit to be exceeded. No other action is possible.

    [edit vlans]

    user@switch# set vlan-abc mac-limit 20
    Note

    When you are applying a MAC limit on a VLAN, do not set mac-limit to 1 for a VLAN composed of Routed VLAN Interfaces (RVIs) or a VLAN composed of aggregated Ethernet bundles using LACP. In these cases, setting the mac-limit to 1 prevents the switch from learning MAC addresses other than the automatic addresses:

    • For RVIs, the first MAC address inserted into the forwarding database is the MAC address of the RVI.

    • For aggregated Ethernet bundles using LACP, the first MAC address inserted into the forwarding database in the forwarding table is the source address of the protocol packet.

    If the VLAN is composed of regular access or trunk interfaces, you can set the mac-limit to 1 if you choose to do so.

Configuring MAC Limiting (QFX Switches)

To configure MAC limiting on a specific interface or on all interfaces:

  1. To limit the number of dynamic MAC addresses, set a MAC limit of 5.

    The action is not specified, so the switch performs the default action drop if the limit is exceeded:

    • On a single interface (here, the interface is xe-0/0/1):

      [edit ethernet-switching-options secure-access-port]

      user@switch# set interface xe-0/0/1 mac-limit (Access Port Security) 5
    • On all interfaces:

      [edit ethernet-switching-options secure-access-port]

      user@switch# set interface all mac-limit 5
    Caution

    Do not set the MAC limit to 1. The first learned MAC address is often inserted into the forwarding database automatically. (For instance, the first MAC address inserted into the forwarding database for routed VLAN interfaces is the MAC address of the RVI. For Aggregated Ethernet bundles using LACP, the first MAC address inserted into the forwarding database in the forwarding table is the source address of the protocol packet.) The switch therefore fails to learn MAC addresses other than the automatic addresses when the MAC limit is set to 1, and this causes problems with MAC learning and forwarding.

  2. To specify allowed MAC addresses:
    • On a single interface (here, the interface is xe-0/0/2):

      [edit ethernet-switching-options secure-access-port]

      user@switch# set interface xe-0/0/2 allowed-mac 00:05:85:3A:82:80

      user@switch# set interface xe-0/0/2 allowed-mac 00:05:85:3A:82:81

      user@switch# set interface xe-0/0/2 allowed-mac 00:05:85:3A:82:83

    • On all interfaces:

      [edit ethernet-switching-options secure-access-port]

      user@switch# set interface all allowed-mac 00:05:85:3A:82:80

      user@switch# set interface all allowed-mac 00:05:85:3A:82:81

      user@switch# set interface all allowed-mac 00:05:85:3A:82:83

Configuring MAC Limiting (J-Web Procedure)

MAC limiting protects against flooding of the Ethernet switching table on an EX Series switch. MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).

Junos OS provides two MAC limiting methods:

  • Maximum number of dynamic MAC addresses allowed per interface—If the limit is exceeded, incoming packets with new MAC addresses are dropped.

  • Specific “allowed” MAC addresses for the access interface—Any MAC address that is not in the list of configured addresses is not learned.

You configure MAC limiting for each interface, not for each VLAN. You can specify the maximum number of dynamic MAC addresses that can be learned on a single Layer 2 access interface or on all Layer 2 access interfaces. The default action that the switch will take if that maximum number is exceeded is drop—drop the packet and generate an alarm, an SNMP trap, or a system log entry.

To enable MAC limiting on one or more interfaces using the J-Web interface:

  1. Select Configure>Security>Port Security.
  2. Select one or more interfaces from the Interface List.
  3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
  4. To set a dynamic MAC limit:
    1. Type a limit value in the MAC Limit box.

    2. Select an action from the MAC Limit Action box (optional). The switch takes this action when the MAC limit is exceeded. If you do not select an action, the switch applies the default action, drop.

      • Log—Generate a system log entry.

      • Drop—Drop the packets and generate a system log entry. (Default)

      • Shutdown—Shut down the VLAN and generate a system log entry. You can mitigate the effect of this option by configuring the switch for autorecovery from the disabled state and specifying a disable timeout value.

      • None— No action to be taken.

  5. To add allowed MAC addresses:
    1. Click Add.

    2. Type the allowed MAC address and click OK.

    Repeat this step to add more allowed MAC addresses.

  6. Click OK when you have finished setting MAC limits.
  7. Click OK after the configuration has been successfully delivered.
Note

You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), a message asking whether you want to enable port security appears.