Mac Limit

This scenario shows how to set a MAC learning limit on the bridge port.

../../../../_images/maclimit.svg

Test MAC Limit

Description

Verify that a MAC learning limit can be set on an interface attached to a bridge and that the limit is enforced.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces bridge br0
set interfaces ethernet eth0 bridge-group bridge br0
set interfaces ethernet eth1 bridge-group bridge br0
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 192.168.1.2/24
set interfaces ethernet eth0 vrf A
set interfaces ethernet eth1 address 192.168.1.3/24
set interfaces ethernet eth1 vrf B
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
set system vrf A
set system vrf B

Step 3: Set the following configuration in DUT2 :

set interfaces ethernet eth1 address 192.168.1.4/24
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Verify initial connectivity works on both paths before
applying the MAC limit.

Step 4: Ping the IP address 192.168.1.4 from DUT1:

admin@DUT1$ ping 192.168.1.4 vrf A count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: A
PING 192.168.1.4 (192.168.1.4) from 192.168.1.2 A: 56(84) bytes of data.
64 bytes from 192.168.1.4: icmp_seq=1 ttl=64 time=1.24 ms

--- 192.168.1.4 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.244/1.244/1.244/0.000 ms

Step 5: Ping the IP address 192.168.1.2 from DUT1:

admin@DUT1$ ping 192.168.1.2 vrf B count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: B
PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 B: 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.420 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.420/0.420/0.420/0.000 ms

Step 6: Ping the IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.434 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.434/0.434/0.434/0.000 ms

Disable the interface that should fail, then set the MAC
learning limit to 1. Only the first learned MAC address
will be allowed on the bridge port.

Step 7: Modify the following configuration lines in DUT2 :

set interfaces ethernet eth1 disable

Step 8: Modify the following configuration lines in DUT0 :

set interfaces ethernet eth1 bridge-group mac-limit 1

Verify that the first path keeps connectivity while the
second path is blocked by the MAC limit.

Step 9: Ping the IP address 192.168.1.2 from DUT1:

admin@DUT1$ ping 192.168.1.2 vrf B count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: B
PING 192.168.1.2 (192.168.1.2) from 192.168.1.3 B: 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.01 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.012/1.012/1.012/0.000 ms

Re-enable the interface and verify that connectivity still
fails due to MAC limit enforcement.

Step 10: Modify the following configuration lines in DUT2 :

delete interfaces ethernet eth1 disable

Step 11: Expect a failure in the following command: Ping the IP address 192.168.1.4 from DUT1:

admin@DUT1$ ping 192.168.1.4 vrf A count 1 size 56 timeout 1
Show output
ping: Warning: source address might be selected on device other than: A
PING 192.168.1.4 (192.168.1.4) from 192.168.1.2 A: 56(84) bytes of data.

--- 192.168.1.4 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Verify that the MAC learning table shows 100% usage,
confirming the limit is enforced.

Step 12: Run the command interfaces bridge br0 show mac-learning on DUT0 and check whether the output matches the following regular expressions:

(br0)\s+(eth1)\s+\d+\s+\d+\s+100\.0%
Show output
Note: Only showing ports with mac-limit configured.

------------------------------------------------------------------------
bridge  port  sw learn  sw limit  sw usage  hw learn  hw limit  hw usage
------------------------------------------------------------------------
br0     eth1         1         1    100.0%         -         -         -

Additional verification pinging in the reverse direction
to confirm connectivity is truly blocked in both directions.

Step 13: Expect a failure in the following command: Ping the IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1
Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Step 14: Ping the IP address 192.168.1.3 from DUT2:

admin@DUT2$ ping 192.168.1.3 count 1 size 56 timeout 1
Show output
PING 192.168.1.3 (192.168.1.3) 56(84) bytes of data.
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.288 ms

--- 192.168.1.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.288/0.288/0.288/0.000 ms