ON THIS PAGE
Understanding MAC Limiting on Layer 3 Routing Interfaces
Overview
The MAC limiting feature provides a mechanism for limiting MAC addresses on devices that are connected to a Layer 3 routed Gigabit Ethernet (GE), Fast Ethernet (FE), or 10 Gigabit Ethernet (XE) interface. With MAC filters, you can allow traffic with specific source MAC. Software-based MAC limiting is supported. MAC limiting is applicable only on interfaces with plain Ethernet or VLAN tagged encapsulation.
Both the physical interface level source-address-filter and logical interface level accept-source-mac configurations are supported
on SRX100, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, and SRX650 devices. (Platform support
depends on the Junos OS release in your installation.) The following considerations apply
when you configure the source-address-filter and accept-source-mac statements:
If only the logical level
accept-source-macstatement is configured, traffic from only those configured MAC addresses will be allowed on the logical interface.If only the physical interface level
source-address-filterstatement is configured, the physical interface’s allowed MAC addresses are also considered the allowed addresses for all the logical interfaces belonging to the physical interface. Incoming packets from any other source MAC addresses are dropped.If the physical interface level
source-address-filteris configured undergigether-options(orfastether-options) andaccept-source-macis configured for one or more of its logical interfaces or VLANs, the allowed list of addresses is a combination of MAC addresses specified in both the statements. For logical interfaces and VLANs where theaccept-source-macstatement is not configured, the physical interface’s allowed list of addresses is considered.
You can configure an interface to receive packets from specific MAC addresses. To do
this, specify the MAC addresses in the source-address-filter or accept-source-mac statements:
Logical level MAC filter configuration on an untagged interfacege-0/0/10 { unit 0 { accept-source-mac { mac-address 00:22:33:44:55:66; mac-address 00:26:88:e9:a3:01; } family inet { address 60.60.60.1/24; } } }Physical level MAC filter configuration on an untagged interfacege-0/0/10 { gigether-options { source-address-filter { 00:55:55:55:55:66; 00:26:88:e9:a3:01; } } unit 0 { family inet { address 60.60.60.1/24; } } }Physical and logical level MAC filter configurations on a tagged interfacege-0/0/10 { vlan-tagging; gigether-options { source-address-filter { 00:26:88:e9:a3:01; } } unit 0 { vlan-id 40; accept-source-mac { mac-address 00:22:33:44:55:66; } family inet { address 40.40.40.1/24; } } unit 1 { vlan-id 60; accept-source-mac { mac-address 00:55:55:55:55:66; } family inet { address 60.60.60.1/24; } } }
On untagged Gigabit Ethernet interfaces, you must not configure the source-address-filter and the accept-source-mac statements simultaneously. If these statements are
configured for the same interfaces at the same time, an error message appears. However, in
the case of tagged VLANs, both these statements can be configured simultaneously, if no identical
MAC addresses are specified.
Limitations
The following limitations apply to MAC limiting support on Layer 3 routed GE, AE, FE, or XE interfaces:
You can configure only 32 MAC addresses per device (except on aggregated Ethernet interfaces, where the limit is 64 addresses per logical interface).
Only software-based MAC filtering is supported. Software-based MAC filtering impacts performance. The performance impact is proportional to the number of MAC addresses configured.
MAC-based policer or rate limiting is not supported.
You cannot configure broadcast or multicast address in the
source-address-filterstatement.MAC filtering is not supported on aggregated Ethernet (AE) interfaces (it is supported on some platforms; see Feature Explorer for platform specifics); or on Fabric Ethernet, Point-to-Point Protocol over Ethernet (PPPoE), Routed VLAN interface (RVI), or VLAN interfaces.
MAC filtering is not supported on chassis clusters.
If you configure MAC filtering on the AE interface, you must configure the interface with
accept-source-mac(that is, not withsource-address-filter) and withfamily ethernet-switching.