Series Switches; Mac Limiting; Mac Move Limiting - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

Complete Software Guide for Junos
Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series
Switches

MAC Limiting

MAC Move Limiting

3062
®
OS for EX Series Ethernet Switches, Release 10.4
MAC limiting protects against flooding of the Ethernet switching table (also known as
the MAC forwarding table or Layer 2 forwarding table). You enable this feature on
interfaces (ports). MAC move limiting detects MAC movement and MAC spoofing on
access interfaces. You enable this feature on VLANs.
MAC Limiting on page 3062
MAC Move Limiting on page 3062
Actions for MAC Limiting and MAC Move Limiting on page 3063
MAC Addresses That Exceed the MAC Limit or MAC Move Limit on page 3063
MAC limiting sets a limit on the number of MAC addresses that can be learned on a single
Layer 2 access interface or on all the Layer 2 access interfaces on the switch. Junos
operating system (Junos OS) provides two MAC limiting methods:
Maximum number of MAC addresses—You configure the maximum number of dynamic
MAC addresses allowed per interface. When the limit is exceeded, incoming packets
with new MAC addresses are treated as specified by the configuration. The incoming
packets with new MAC addresses can be ignored, dropped, logged, or the interface
can be shut down or temporarily disabled. Note that static MAC addresses do not
count toward the limit you specify for dynamic MAC addresses.
Allowed MAC—You configure specific "allowed" MAC addresses for the access interface.
Any MAC address that is not in the list of configured addresses is not learned and the
switch logs the message. Allowed MAC binds MAC addresses to a VLAN so that the
address does not get registered outside the VLAN. If an allowed MAC setting conflicts
with a dynamic MAC setting, the allowed MAC setting takes precedence.
NOTE: If you do not want the switch to log messages received for invalid
MAC addresses on an interface that has been configured for specific "allowed"
MAC addresses, you can disable the logging by configuring the
no-allowed-mac-log
MAC move limiting causes the switch to track the number of times a MAC address can
move to a new interface (port). It can help to prevent MAC spoofing, and it can also
detect and prevent loops.
If a MAC address moves more than the configured number of times within one second,
the switch performs the configured action. You can configure MAC move limiting to apply
to all VLANs or to a specific VLAN.
statement.
Copyright © 2010, Juniper Networks, Inc.