Table of Contents
Advertisement
Configuring MAC Limiting (CLI Procedure)
Copyright © 2010, Juniper Networks, Inc.
Understanding DAI for Port Security on EX Series Switches on page 3060
MAC limiting protects against flooding of the Ethernet switching table on the EX Series
switch. MAC limiting sets a limit on the number of MAC addresses that can be learned
on a single Layer 2 access interface (port).
Junos OS provides two MAC limiting methods:
Maximum number of dynamic MAC addresses allowed per interface—When the limit
is exceeded, incoming packets with new MAC addresses are dropped.
Specific "allowed" MAC addresses for the access interface—Any MAC address that is
not in the list of configured addresses is not learned and the switch logs the message.
NOTE: If you do not want the switch to log messages received for invalid
MAC addresses on an interface that has been configured for specific
"allowed" MAC addresses, you can disable the logging by configuring the
no-allowed-mac-log
You configure MAC limiting per interface, not per VLAN. You can specify the maximum
number of dynamic MAC addresses that can be learned on a single Layer 2 access
interface or on all Layer 2 access interfaces.
You can choose to have one of the following actions performed when the limit of MAC
addresses is exceeded:
—Drop the packet and generate an alarm, an SNMP trap, or a system log entry.
drop
This is the default.
log
—Do not drop the packet but generate an alarm, an SNMP trap, or a system log
entry.
—Take no action.
none
shutdown
—Disable the interface and generate an alarm. If you have configured the
switch with the
port-error-disable
automatically upon expiration of the specified disable timeout. If you have not
configured the switch for autorecovery from port error disabled conditions, you can
bring up the disabled interfaces by running the
command.
To configure MAC limiting on a specific interface or on all interfaces, using the CLI:
For limiting the number of dynamic MAC addresses, set a MAC limit of
1.
The action is not specified, so the switch performs the default action
is exceeded:
On a single interface (here, the interface is
Chapter 101: Configuring Port Security
statement.
statement, the disabled interface recovers
clear ethernet-switching port-error
ge-0/0/1
):
5
.
if the limit
drop
3139
Advertisement
Chapters
Table of Contents
Troubleshooting
