Switching

Hello!

On our QFX5100 boxes we're using the following SP-style configuration to limit max. MAC addresses on interface:

minotaur@asw1-sp.ki# show vlans PUBLIC switch-options interface xe-0/0/0.777
interface-mac-limit {
1;
packet-action drop-and-log;
}
static-mac a0:36:9f:73:0f:02;
no-mac-learning;

It works fine on 17.2R3.4 and 17.4R1-S3.3. But support in 18.4R1.8 looks broken:

minotaur@asw3-sp.ki# show vlans PUBLIC
##
## Warning: Interface mac limit should not be configured at VLAN level for sub interfaces
##
interface xe-0/0/47.777;
interface ae0.777;
switch-options {
    interface xe-0/0/47.777 {
        interface-mac-limit {
            1;
            packet-action drop-and-log;
        }
    }
}

I was not able to find any other place to configure MAC limiting. Any ideas are kindly appreciated! Thanks!

Hi Ashm,

 

This seems to be a limitation for SP style configuration that appplies for all QFX NG (QFX5k and QFX10k) and EX NG (EX43XX, EX 92XX) i.e.  configuring MAC limit at IFBD level (specific IFBD & VLAN level) is not recommended for sub-interfaces i.e. SP style configured ports.  For Enterprise style configured interfaces, mac limit should be supported at all levels.  Please try that and confirm. i.e.:

 

There are two levels of mac limit - IFL level limit & IFBD (interface bridge-domain) level limit.  A sub- interface can have only one IFBD per IFL.  So, IFBD & IFL is one and the same for sub-interfaces.   To avoid issues when config is done at both levels, only IFL level mac limiting for sub-interfaces is allowed in EX NG & QFX NG platforms.

 

IFL:
set switch-options interface <> interface-mac-limit <> packet-action <>     ---------> Allowed

IFBD (at VLAN level) :
set vlans <> switch-options <> interface-mac-limit <> packet-action <> ---> commit error or allowed, but with warning message.

This is because a VLAN can have both SP style & enterprise style interface config.  And we know that  both IFL level & IFBD level mac limit config are supported for Enterprise style configured interfaces.

 

Please do check if TAC if you need any other confirmation or rationale and mark the post so others could benefit too.

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Hello Mriyaz,

What I'm seeing now is that this limitation has been introduced expressly between 18.1R3 and 18.4R1, because in 18.1R3 the feature still works:

{master:0}[edit]
minotaur@asw3-sp.ki# run show version 
fpc0:
--------------------------------------------------------------------------
Hostname: asw3-sp.ki
Model: qfx5100-48s-6q
Junos: 18.1R3-S4.2
JUNOS Base OS boot [18.1R3-S4.2]
JUNOS Base OS Software Suite [18.1R3-S4.2]
JUNOS Crypto Software Suite [18.1R3-S4.2]
JUNOS Crypto Software Suite [18.1R3-S4.2]
JUNOS Online Documentation [18.1R3-S4.2]
JUNOS Kernel Software Suite [18.1R3-S4.2]
JUNOS Packet Forwarding Engine Support (qfx-ex-x86-32) [18.1R3-S4.2]
JUNOS Routing Software Suite [18.1R3-S4.2]
JUNOS jsd [i386-18.1R3-S4.2-jet-1]
JUNOS SDN Software Suite [18.1R3-S4.2]
JUNOS Enterprise Software Suite [18.1R3-S4.2]
JUNOS Web Management Platform Package [18.1R3-S4.2]
JUNOS py-base-i386 [18.1R3-S4.2]
JUNOS py-extensions-i386 [18.1R3-S4.2]
JUNOS Host Software [17.4R2.4]
Junos for Automation Enhancement

{master:0}[edit]
minotaur@asw3-sp.ki# set vlans PUBLIC switch-options interface xe-0/0/47.777 interface-mac-limit 1 packet-action drop-and-log 

{master:0}[edit]
minotaur@asw3-sp.ki# show | compare                                                                                              
[edit vlans PUBLIC]
+    switch-options {
+        interface xe-0/0/47.777 {
+            interface-mac-limit {
+                1;
+                packet-action drop-and-log;
+            }
+        }
+    }

{master:0}[edit]
minotaur@asw3-sp.ki# commit 
configuration check succeeds
commit complete

Our environment requires SP-style configuration and it cannot be replaced with ENT-style. If you're sure that it is not regression then of course I'll push JTAC to get more explanation.
Thanks.

@Ashm,

Please validate enterprise style worked for you on the same code 18.4R1 (just for test). I'm pretty sure this is intended behavior with that commit error/warning.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Juniper Internal

I really don't understand how it's possible to convert the following configuration to ENT-style:

{master:0}[edit]
minotaur@asw3-sp.ki# show interfaces xe-0/0/47 
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 700 {
    encapsulation vlan-bridge;
    vlan-id 700;
}
unit 777 {
    encapsulation vlan-bridge;
    vlan-id 777;
}

{master:0}[edit]
minotaur@asw3-sp.ki# show vlans PUBLIC 
interface xe-0/0/47.777;
interface ae0.777;
interface xe-0/0/47.700;
switch-options {
    interface xe-0/0/47.777 {
        interface-mac-limit {
            1;
            packet-action drop-and-log;
        }
    }
}
no-arp-suppression;
vxlan {
    vni 777;
    ingress-node-replication;
}

Please pay an attention to lines marked with bold.

Hi Ashm,

 

SP style (sub interfaces)
--------------------------
set vlans <> interface <ifl>
set interfaces <> unit <> vlan-id

 

Enterprise style :
----------------
set vlans <> vlan-id <>
set interfaces <> unit 0 family <> vlan members <vlan-id/name>

 

Try:
delete vlans PUBLIC interface xe-0/0/47.777
delete vlans PUBLIC interface xe-0/0/47.700
delete vlans PUBLIC switch-options
set vlans PUBLIC vlan-id <>
set interfaces xe-0/0/47 unit 700 family ethernet-switching
set interfaces xe-0/0/47 unit 777 family ethernet-switching
set switch-options interface xe-0/0/47.777 interface-mac-limit 1 packet-action drop-and-log
set switch-options interface xe-0/0/47.700 interface-mac-limit 1 packet-action drop-and-log

 

Keeping the rest of interface config as is for flexible-vlan-tagging etc. as it is.

 

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

How two sub-interfaces on xe-0/0/47 will interoperate with set vlans PUBLIC vlan-id <> ?

It is possible to set only one VLAN ID with 'set vlans ... vlan-id' command.

Moreover, ENT-style requires to add VLANs with 'vlan members [ ... ]' command on interface under 'family ethernet-switching'.
I have no idea how can I add two VLAN IDs on same physical interface to same VLAN with method different than sp-style.

Hi Ashm,

 

Just taking a step back, its ok to use SP style, but please use the interface-mac-limit at the IFL level and "not" at the vlan level.  Also tried to answer inline in case these questions remain with you for later.

 

@Ashm wrote:

How two sub-interfaces on xe-0/0/47 will interoperate with set vlans PUBLIC vlan-id <> ?

[Ans] I'm sorry this may not apply in this case as we already have a VLAN applied at interface level.  
Else we could have done.  The "set interfaces xe-0/0/47 unit 700 vlan-id 700" can still be used to enterprise style.  Or we can also use:
set interfaces xe-0/0/47 unit 700 family ethernet-switching interface-mode trunk vlan members 700

 

Refer: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/switches-interface-flexible.html#jd0e46

It is possible to set only one VLAN ID with 'set vlans ... vlan-id' command.
[Ans] Yes.

Moreover, ENT-style requires to add VLANs with 'vlan members [ ... ]' command on interface under 'family ethernet-switching'.
I have no idea how can I add two VLAN IDs on same physical interface to same VLAN with method different than sp-style.

[Ans] In this configuration you can do:

set interfaces <> unit <> family ethernet-switching vlan members vlan-id

 

Re-iterating, the idea is not to force changing the SP style to Enterprise, but where you can use the mac-limit.

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

,

Thank you for clues about interface-mac-limit. It looks fine now, under global 'switch-options'.

But suggested change to ent-style:

minotaur@asw3-sp.ki# show | compare 
[edit interfaces xe-0/0/47 unit 700 family ethernet-switching]
+       vlan {
+           members PUBLIC;
+       }
[edit interfaces xe-0/0/47 unit 777 family ethernet-switching]
+       vlan {
+           members PUBLIC;
+       }
[edit vlans PUBLIC]
-    interface xe-0/0/47.777;
-    interface xe-0/0/47.700;

does not work:

[edit interfaces xe-0/0/47 unit 700 family ethernet-switching vlan members]
'PUBLIC'
Two ifl of same ifd cannot be in same vlan under ethernet-switching
[edit interfaces xe-0/0/47 unit 777 family ethernet-switching vlan members]
'PUBLIC'
Two ifl of same ifd cannot be in same vlan under ethernet-switching
[edit vlans PUBLIC]

Hello

I have the same problem with provider configuration on Model: ex2300-c-12t

Now we are using JUNOS 18.3R1-S1.4 and there is everything ok but If I have upgraded  to 18.3R2-S1 or 19. xx was failed.... Can you help me somebody? I cannot go ahead without upgrade. We need to fix some bugs.

We use "provider style" because we need Q-in-Q (push/pop) and port-security.

The configuration see below.

Thank you for answer or solution!!

 

root@TEST-LAB-CPE# commit
[edit vlans V100 interface]
'ge-0/0/0.100'
Interface mac limit should not be configured at VLAN level for sub interfaces
error: commit failed: (statements constraint check failed)

-----------------------------------------

 

show interfaces ge-0/0/0
flexible-vlan-tagging;
mtu 9200;
encapsulation extended-vlan-bridge;
unit 100 {
vlan-id-list 1-4094;
input-vlan-map push;
output-vlan-map pop;
}

 

show interfaces ge-0/1/1

flexible-vlan-tagging;
mtu 9200;
encapsulation extended-vlan-bridge;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ 500 503 1110 ];
}
}
}
unit 100 {
vlan-id 100;
}

show vlans

V100 {
##
## Warning: Interface mac limit should not be configured at VLAN level for sub interfaces
##
interface ge-0/0/0.100;
interface ge-0/1/1.100;
switch-options {
interface ge-0/0/0.100 {
interface-mac-limit {
200;
}
}
}
}