Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How to control MAC address access through Junos OS for EX Series switches

0

0

Article ID: KB10866 KB Last Updated: 17 Aug 2020Version: 6.0
Summary:

The Junos OS software for EX-Series switches allows user control of MAC address through a single port by setting Mac Limit and Allowed MAC.

This article explains how to set MAC access control on the switch.

 

Solution:

MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). This feature is enabled on interfaces (ports).

MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access port. Junos software provides two MAC limiting methods: 

  • Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per port. As soon as the limit is reached, incoming packets with new MAC addresses are dropped. The MAC limit value in the EX-series switch's default configuration is five MAC addresses.

  • Allowed MAC—You configure specific “allowed” MAC addresses for the access port. Any MAC address that is not in the list of configured addresses is not learned. Allowed MAC binds MAC addresses to a VLAN so that the address does not get registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

MAC limiting is configured in the [edit ethernet-switching-options secure-access-port] hierarchy. It sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access port; for example, to set a limit of 3 for interface ge-0/0/1 with action drop:

[edit ethernet-switching-options secure-access-port] 
user@switch> show
secure-access-port
        interface ge-0/0/1.0 {
            mac-limit 3 action drop;
        }
}


[edit ethernet-switching-options secure-access-port] 
user@switch> show
secure-access-port {
        interface ge-0/0/2.0 {
            allowed-mac {
                00:01:23:45:CD:23
                00:01:23:45:CD:24     

                00:01:23:45:CD:25
                00:01:23:45:CD:26
                00:01:23:45:CD:27
            }
        }
}

In case the Allowed MAC list is longer than the MAC Limit number, only the first addresses in the Allowed MAC list will be learned. If MAC limit is set to 3 (for example) and Allowed MAC List contains more than 3 entries, the switch will learn only the first 3 addresses on the Allowed MAC list.

 

Modification History:

2020-08-17: Added a reference link and removed EOS product series reference; article checked for accuracy and found to be valid and relevant

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search