Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

MAC Addresses

 

Introduction to the Media Access Control (MAC) Layer 2 Sublayer

This topic provides an introduction to the MAC sublayer of the data link layer (Layer 2).

In Layer 2 of a network, the Media Access Control (MAC) sublayer provides addressing and channel access control mechanisms that enable several terminals or network nodes to communicate in a network.

The MAC sublayer acts as an interface between the logical link control (LLC) Ethernet sublayer and Layer 1 (the physical layer). The MAC sublayer emulates a full-duplex logical communication channel in a multipoint network. This channel may provide unicast, multicast, or broadcast communication service. The MAC sublayer uses MAC protocols to prevent collisions.

In Layer 2, multiple devices on the same physical link can uniquely identify one another at the data link layer, by using the MAC addresses that are assigned to all ports on a switch. A MAC algorithm accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC address.

A MAC address is a 12-digit hexadecimal number (48 bits in long). MAC addresses are usually written in one of these formats:

  • MM:MM:MM:SS:SS:SS

  • MM-MM-MM-SS-SS-SS

The first half of a MAC address contains the ID number of the adapter manufacturer. These IDs are regulated by an Internet standards body. The second half of a MAC address represents the serial number assigned to the adapter by the manufacturer.

Contrast MAC addressing, which works at Layer 2, with IP addressing, which runs at Layer 3 (networking and routing). One way to remember the difference is that the MAC addresses apply to a physical or virtual node, whereas IP addresses apply to the software implementation of that node. MAC addresses are typically fixed on a per-node basis, whereas IP addresses change when the node moves from one part of the network to another.

IP networks maintain a mapping between the IP and MAC addresses of a node using the Address Resolution Protocol (ARP) table. DHCP also typically uses MAC addresses when assigning IP addresses to nodes.

Understanding MAC Address Assignment on an EX Series Switch

This topic describes MAC address assignment for interfaces on standalone Juniper Networks EX Series Ethernet Switches. For information regarding MAC address assignments in a Virtual Chassis, see Understanding MAC Address Assignment on a Virtual Chassis.

MAC addresses are used to identify network devices at Layer 2. Because all Layer 2 traffic decisions are based on an interface’s MAC address, understanding MAC address assignment is important to understanding how network traffic is forwarded and received by the switch. For additional information on how a network uses MAC addresses to forward and receive traffic, see Understanding Bridging and VLANs on Switches.

A MAC address comprises six groups of two hexadecimal digits, with each group separated from the next group by a colon—for instance, aa:bb:cc:dd:ee:00. The first five groups of hexadecimal digits are derived from the switch and are the same for all interfaces on the switch.

The assignment of a unique MAC address to each network interface helps ensure that functions that require MAC address differentiation—such as redundant trunk groups (RTGs), Link Aggregation Control Protocol (LACP), and general monitoring functions—can properly function.

On switches that use line cards, this MAC addressing scheme differentiates the Layer 2 interfaces on different line cards in the switch.

For EX Series switches, the first five groups of hexadecimal digits are determined when the switch is manufactured. The switch then assigns a unique MAC address to each interface by assigning a unique identifier as the last group of hexadecimal digits. The assignment depends on how the interface is configured. The switch uses a different pattern to distinguish between an interface that is configured as any of a routed VLAN interface (RVI), a virtual management Ethernet (VME) interface, or an aggregated Ethernet interface or is not configured as any of an RVI, a VME, or as an aggregated Ethernet interface.

For aggregated Ethernet interfaces, the MAC address assignment remains constant regardless of whether the configuration of the interface is Layer 2 or Layer 3.

Note

In Junos OS Release 11.3 and later releases through Release 12.1, the MAC address assignment for aggregated Ethernet interfaces changes if the interface is changed from Layer 2 to Layer 3 or the reverse. Starting with Junos Release 12.2, the MAC address assignment for aggregated Ethernet interfaces remains constant regardless of whether the interface is Layer 2 or Layer 3.

Note

Prior to Junos OS Release 11.3, MAC addresses for Layer 2 interfaces could be shared between interfaces and RVIs on different line cards in the same switch. However, if you upgrade from Junos OS Release 11.2 or earlier to Junos OS Release 11.3 or later on a switch that supports line cards, the MAC addresses of these interfaces will change.

MAC addresses are assigned to interfaces automatically—no user configuration is possible or required. You can view MAC addresses assigned to interfaces using the show interfaces command.

Configuring MAC Move Parameters

When a MAC address appears on a different physical interface or within a different unit of the same physical interface and this behavior occurs frequently, it is considered a MAC move. You can configure the router to report a MAC address move based on the following parameters: the number of times a MAC address move occurs, a specified period of time over which the MAC address move occurs, and specified number of times a MAC address move occurs in one second. You can only configure the global-mac-move statement at the global hierarchy level.

To globally disable the MAC move action feature, include the disable-action statement at the [edit protocols l2-learning global-mac-move]. This disables the MAC move action feature, while MAC move detection exists.

To configure the time duration after which the port will be unblocked, include the reopen-time statement at the [edit protocols l2-learning global-mac-move]. The default reopen timer is 180 second.

To configure MAC address move reporting if the MAC address moves at least a specified number of times in one second, include the threshold-time statement at the [edit protocols l2-learning global-mac-move] hierarchy level. The default threshold time is 1 second.

To configure reporting of a MAC address move if the MAC address moves for a specified period of time, include the notification-time statement at the [edit protocols l2-learning global-mac-move] hierarchy level. The default notification timer is 1 second.

To configure reporting of a MAC address move if the MAC address moves a specified number of times, include the threshold-count statement at the [edit protocols l2-learning global-mac-move] hierarchy level. The default threshold count is 50 moves.

Use the show l2-learning mac-move-buffer command to view the actions as a result of MAC address move feature.

Use the show l2-learning mac-move-buffer active command to view the set of IFLs blocked as a result of MAC move action.

Use the exclusive-mac command exclude a MAC address from the MAC move limit algorithm, preventing a MAC address from being tracked.

Use the clear l2-learning mac-move-buffer active command to unblock the IFBDs that were blocked by MAC move action feature. This allows the user to keep the reopen-time configured to a large value, but when the looping error is fixed, user can manually release the blocking.

The following example sets the notification time for MAC moves to 1 second, the threshold time to 1 second, reopen-time to 180 seconds and the threshold count to 50 moves.

Configuring MAC Limiting (ELS)

This topic describes different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the switch.

Note

The tasks presented in the first section uses Junos OS for EX Series switches and QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style. See Using the Enhanced Layer 2 Software CLI for more information about ELS configurations.

The different ways of setting a MAC limit are described in the following sections:

Limiting the Number of MAC Addresses Learned by an Interface

To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface:

  • Set the MAC limit on an interface, and specify an action that the switch takes after the specified limit is exceeded:
    [edit switch-options]

    user@switch# set interface interface-name interface-mac-limit limit packet-action action

    After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.

Limiting the Number of MAC Addresses Learned by a VLAN

To limit the number of MAC addresses learned by a VLAN, perform both of the following steps:

  1. Set the maximum number of MAC addresses that can be learned by a VLAN, and specify an action that the switch takes after the specified limit is exceeded:
    [edit vlans]

    user@switch# set vlan-name switch-options mac-table-size limit packet-action action
  2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the VLAN, and specify an action that the switch takes after the specified limit is exceeded:Note

    If you specify a MAC limit and packet action for all interfaces in the VLAN and a specific interface in the VLAN, the MAC limit and packet action specified at the specific interface level takes precedence. Also, at the VLAN interface level, only the drop and drop-and-log options are supported.

    [edit vlans]

    user@switch# set vlan-name switch-options interface interface-name interface-mac-limit limit packet-action action
    [edit vlans]

    user@switch# set vlan-name switch-options interface-mac-limit limit packet-action action

    After you set new MAC limits for a VLAN by using the mac-table-size statement or for interfaces associated with a VLAN by using the interface-mac-limit statement, the system clears the corresponding existing entries in the MAC address forwarding table.

    Note

    On a QFX Series Virtual Chassis, if you include the shutdown option at the [edit vlans vlan-name switch-options interface interface-name interface-mac-limit packet-action] hierarchy level and issue the commit operation, the system generates a commit error. The system does not generate an error if you include the shutdown option at the [edit switch-options interface interface-name interface-mac-limit packet-action] hierarchy level.

Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELS Support

Note

This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table. For ELS details, see Using the Enhanced Layer 2 Software CLI.

The Ethernet switching table, also known as the forwarding table, specifies the known locations of VLAN nodes and the addresses of devices within those nodes. There are two ways to populate the Ethernet switching table on a switch. The easiest method is to let the switch update the table with MAC addresses.

The second way to populate the Ethernet switching table is to manually insert addresses into the table. You can do this to reduce flooding and speed up the switch’s automatic learning process.

Before configuring a static MAC address, be sure that you have:

To configure an interface to have a static MAC address:

[edit vlans vlan-name switch-options interface interface-name]

user@switch# set static-mac mac-address

Adding a Static MAC Address Entry to the Ethernet Switching Table

Note

This task uses Junos OS for EX Series switches and Junos OS for QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Adding a Static MAC Address Entry to the Ethernet Switching Table on a Switch with ELS Support. For ELS details, see Using the Enhanced Layer 2 Software CLI.

The Ethernet switching table, also known as the forwarding table, specifies the known locations of VLAN nodes. There are two ways to populate the Ethernet switching table on a switch. The easiest method is to let the switch update the table with MAC addresses.

The second way to populate the Ethernet switching table is to manually insert a VLAN node location into the table. You can do this to reduce flooding and speed up the switch’s automatic learning process. To further optimize the switching process, indicate the next hop (next interface) packets will use after leaving the node.

Before configuring a static MAC address, be sure that you have:

To add a MAC address to the Ethernet switching table:

  1. Specify the MAC address to add to the table:
    [edit ethernet-switching-options]

    set static vlan vlan-name mac mac-address
  2. Indicate the next hop MAC address for packets sent to the indicated MAC address:
    [edit ethernet-switching-options]

    set static vlan vlan-name mac mac-address next-hop interface

Example: Configuring the Default Learning for Unknown MAC Addresses

This example shows how to configure the device to use only ARP requests to learn the outgoing interfaces for unknown destination MAC addresses.

Requirements

Before you begin, determine the MAC addresses and associated interfaces of the forwarding table. See Layer 2 Learning and Forwarding for VLANs Overview.

Overview

In this example, you configure the device to use only ARP queries without traceroute requests.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure the device to use only ARP requests to learn unknown destination MAC addresses:

  1. Enable the device.
  2. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show security flow command.