Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring MAC Move Limiting (ELS)

Note:

This topic uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Using the Enhanced Layer 2 Software CLI.

When MAC move limiting is configured, the switch tracks MAC address movements on access and trunk interfaces. A MAC address move occurs when the switch receives a packet with a source MAC address that has already been learned by the switch, but on a different interface. If a MAC address changes more than the configured number of times within one second, the changes to MAC addresses are dropped, logged or ignored, or the interface is shut down, as specified in the configuration.

MAC move limiting is not configured by default.

You can choose to have one of the following actions performed when the MAC move limit is exceeded:

  • drop—(EX2300, EX3400 and EX4300) Drop the packet, but do not generate an alarm.

  • drop-and-log—(EX2300, EX3400 and EX4300 only) Drop the packet and generate an alarm, an SNMP trap, or system log entry.

  • log—(EX4300 and EX9200) Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

  • none—(EX4300 and EX9200) Forward packets with new source MAC addresses, and learn the new source MAC address.

  • shutdown—Disable the interface in the VLAN and generate an alarm, an SNMP trap, or a system log entry. If you configure an interface with the recovery-timeout statement, the disabled interfaces recover automatically upon expiration of the specified disable timeout. If you do not configure the switch for autorecovery from the disabled condition, you can bring up the disabled interfaces by running the clear ethernet-switching recovery-timeout command.

  • vlan-member-shutdown—(EX9200 only) Block an interface on the basis of its membership in a specific VLAN and generate an alarm, an SNMP trap, or a system log entry. If you configure an interface with the recovery-timeout statement, the disabled interfaces recover automatically upon expiration of the specified disable timeout. If you do not configure recovery-timeout, then the interface remains blocked for 180 seconds, after which it is automatically restored. You can recover all of the blocked interfaces by running the clear ethernet-switching recovery-timeout command, or recover a specific interface by using the set ethernet-switching recovery-timeout interface interface-name vlan vlan-name command.

To configure a MAC move limit for MAC addresses within a specific VLAN:

  • To limit the number of MAC address movements that can be made by an individual MAC address within the specified VLAN:

  • To limit the number of MAC address movements that can be made by an individual MAC address and to specify the action to be taken when the limit is reached:

    The switch performs the specified action if it tracks that an individual MAC address within the specified VLAN has moved more than the specified number of times within one second.

  • Starting in Junos OS Release 15.1 for EX9200 Switches with configured actions for MAC Move Limiting, you can determine the priority for an interface involved in the MAC move to be selected for the action. To determine the priority for an interface involved in the MAC move:

    The interface with the lowest value configured for action-priority has the highest priority.

    Note:

    You can use the action priority to decrease the likelihood of blocking a trusted interface. The trusted interface should have the lowest priority if the configured action is shutdown or vlan-member-shutdown. To assign a low priority, configure a high value for action-priority.

Related Documentation

Release History Table
Release
Description
15.1
Starting in Junos OS Release 15.1 for EX9200 Switches with configured actions for MAC Move Limiting, you can determine the priority for an interface involved in the MAC move to be selected for the action.