Ethernet Switching
Showing results for 
Search instead for 
Do you mean 
Reply
Super Contributor
Posts: 92
Registered: ‎03-11-2011
0 Kudos

VLAN membership MAC limit

Colleagues,

Can you please help me understand what is VLAN membership MAC limit for? When would I use it in real world? For voice vlans to set different data and voice MAC limits?

 

A quote from EX documentation

"

Apply the MAC limit on a single access interface, on the basis of its membership within a specific VLAN (here, the interface is ge-0/0/1 and the VLAN is v1.

[edit ethernet-switching-options secure-access-port]
user@switch# set interface ge–0/0/1 vlan v1 mac-limit 5

With this type of configuration, the switch drops any additional packets if the limit is exceeded, and also logs a message.

"

 

Trusted Contributor
Posts: 104
Registered: ‎03-10-2009
0 Kudos
Highlighted
Distinguished Expert
Posts: 5,118
Registered: ‎03-30-2009
0 Kudos

Re: VLAN membership MAC limit

Typically the limit is setup to prevent users from adding another switch to an access end user port and a large number of devices.  Or using the port for a mac flood attack.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Super Contributor
Posts: 92
Registered: ‎03-11-2011
0 Kudos

Re: VLAN membership MAC limit

Thanks guys for the answers.
I should be more precise. I understand the concept of MAC limiting. I'm just not sure about this single case where along interface name and MAC limit you also specify a VLAN. Since MAC limiting can only be enabled on access port this makes little sense.

Recognized Expert
Posts: 449
Registered: ‎02-13-2011
0 Kudos

Re: VLAN membership MAC limit

Are you sure this can only be applied to Acess interfaces?  I do not see in the documentation anything that states this limitation, such that MAC-Limits could not be set on L2 Trunk or Tagged interfacs:

 

MAC limiting is configured on Layer 2 interfaces. You can specify the maximum number of dynamic MAC addresses that can be learned on a single interface, all interfaces, or a specific interface on the basis of its membership within a VLAN (VLAN membership MAC limit).

 

See below and its associated links for more details:

 

http://www.juniper.net/techpubs/en_US/junos/topics/concept/port-security-mac-limiting-and-mac-move-l...

 

FYI.

Super Contributor
Posts: 92
Registered: ‎03-11-2011
0 Kudos

Re: VLAN membership MAC limit

I'm sure it can be enabled on the access interfaces only. Tested on EX4200.

Plase see the second paragraph https://www.juniper.net/documentation/en_US/junos12.1x44/topics/concept/layer-2-mac-limit-port-secur...

Distinguished Expert
Posts: 584
Registered: ‎08-23-2015
0 Kudos

Re: VLAN membership MAC limit

Hello,

 

You can check this link:

 

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/mac-limit...

 

[edit ethernet-switching options secure-access-port interface interface-name vlan vlan-name]—Set the MAC address learning limit for a specific interface as a member of a specific VLAN (VLAN membership MAC limit).

 

Note:- If you set the MAC address limit on a specific interface as a member of a specific VLAN (VLAN membership MAC limit), the switch drops any additional packets when the VLAN membership MAC limit is exceeded and logs the MAC addresses of those packets. You cannot specify a different action for this specific configuration. If a single interface belongs to more than one VLAN, you can set separate VLAN membership MAC limits for the same interface.

 

Regards,

 

Rushi

Recognized Expert
Posts: 449
Registered: ‎02-13-2011
0 Kudos

Re: VLAN membership MAC limit

I understand your view, and yes if only applicable to an access interface, and not tagged/trunk, then addition of VLAN makes little to no sense as a requirement - could somehow be related to the implementation, I guess.

 

I assume you think access only from this statement:

 

MAC limiting sets a limit on the number of MAC addresses that can be learned dynamically on a single Layer 2 access interface or on all the Layer 2 access interfaces on the services gateway.

 

I would NOT trust that the use of the word Access above equates to true Access port, versus any port.  I would "think' that if not supported on L2 tagged/trunk interface (where VLAN would then matter for sure) that some NOTE saying so might be present, but who knows???

 

i think best to just accept VLAN needed in the command structure and leave it as that, . . .

Trusted Contributor
Posts: 104
Registered: ‎03-10-2009
0 Kudos

Re: VLAN membership MAC limit

HI

 

First we can not apply this mac limit on trunk ports

 

{master:0}[edit]
root# show | display set | match ae0 | match trunk
set interfaces ae0 unit 0 family ethernet-switching port-mode trunk

{master:0}[edit]
root# ...options secure-access-port interface ae0 mac-limit 10

{master:0}[edit]
root# commit check
[edit ethernet-switching-options secure-access-port]
'interface ae0.0'
MAC limit configuration is not allowed for trunk port
error: configuration check-out failed

 

So when we configure this mac limit it should be only for access port which would any way be part of only one vlan.

 

Can I know if this information helps you? If not let me know what is the confusion here please.

 

Thanks

Partha 

Super Contributor
Posts: 92
Registered: ‎03-11-2011
0 Kudos

Re: VLAN membership MAC limit

[ Edited ]

Thank you all for sharing your insight

 

First of all mac-limit can be applied to access ports only and is usually done with:

set ethernet-switching-options secure-access-port interface ge-0/0/1 mac-limit 1

 

My question was about a version of above that allow you to set mac-limit per port per VLAN

set ethernet-switching-options secure-access-port interface ge-0/0/1 vlan 100 mac-limit 1

 

I did some tests and was able to use it on voip port where instead to setting MAC limit to 2 I was able to set the limit  to 1 for data and 1 for voice.  This way I was unable to use 2 PCs only or 2 Phones only but with 1 PC and 1 Phone it worked fine.

 

vlans {
    data {
        vlan-id 100;
        l3-interface vlan.100;
    }
    voice {
        vlan-id 200;
        l3-interface vlan.200;
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members data;
                }
            }
        }
    }
}
ethernet-switching-options {
    secure-access-port {
        interface ge-0/0/1.0 {
            vlan data {
                mac-limit 1 action drop;
            }
            vlan voice {
                mac-limit 1 action drop;
            }
        }
    }
    voip {
        interface ge-0/0/1.0 {
            vlan voice;
            forwarding-class expedited-forwarding;
        }
    }
}

 

When the limit was exceeded switch logged:

Mar 22 16:33:54  exA-1 eswd[1318]: ESWD_VMEMBER_MAC_LIMIT_DROP: vlan data mac 00:26:88:00:00:02 (tag 100) interface ge-0/0/1.0, per port per vlan limit exceeded
Mar 22 16:33:56  exA-1 last message repeated 2 times
Mar 22 16:37:54  exA-1 eswd[1318]: ESWD_VMEMBER_MAC_LIMIT_DROP: vlan voip mac 00:26:88:00:00:04 (tag 200) interface ge-0/0/1.0, per port per vlan limit exceeded
Mar 22 16:37:57  exA-1 last message repeated 2 times



Recognized Expert
Posts: 449
Registered: ‎02-13-2011
0 Kudos

Re: VLAN membership MAC limit

Thanks for the input.  Now makes a lot of sense why VLAN portion is included.