[j-nsp] Issues on QFX5130 setting mac-limit on interface/VLAN?
Bryan Fields
Bryan at bryanfields.net
Wed Jan 21 11:28:11 EST 2026
I’m running an QFX 5130 in a mac-vrf EVPN-VXLAN. I need to limit MACs on the
interfaces and on the VLANs it self. This is normal to prevent a
misconfiguration of a customer from overloading the routing table. I’m
running one EVPN instance with each customer in it restricted to a VLAN, and
each VLAN having a limit of 50 MACs.
system {
packet-forwarding-options {
forwarding-profile {
lpm-profile;
}
}
processes {
nlsd enable;
}
}
routing-instances {
MAC-VRF {
instance-type mac-vrf;
protocols {
evpn {
##
## Warning: configuration block ignored: unsupported platform (qfx5130-48c)
##
##
## Warning: interface-mac-limit needs to be specified under switch-options for a virtual-switch or mac-vrf instance
##
interface-mac-limit {
40;
packet-action drop;
}
encapsulation vxlan;
extended-vni-list all;
}
}
vtep-source-interface lo0.0 inet6;
switch-options {
mac-ip-table-size {
16;
}
##
## Warning: configuration block ignored: unsupported platform (qfx5130-48c)
##
interface-mac-limit {
16;
packet-action drop;
}
interface ae0.0 {
##
## Warning: configuration block ignored: unsupported platform (qfx5130-48c)
##
interface-mac-limit {
10;
packet-action drop;
}
persistent-learning;
}
}
service-type vlan-aware;
interface et-0/0/17.0;
interface ae0.0;
route-distinguisher 100.64.184.224:5000;
vrf-target target:62475:5000;
vlans {
TEST-LAN {
vlan-id 10;
l3-interface irb.10;
forwarding-options {
filter {
input ETHER-EVPN; ## reference 'ETHER-EVPN' not found
}
}
switch-options {
mac-ip-table-size {
16;
}
mac-statistics;
}
vxlan {
vni 500010;
}
}
}
}
Things that work:
- Setting persistent learning (of little use if you can't set a limit..)
- Setting a filter
- Setting interface-mac-ip-limit
Things that don’t work
- setting “interface-mac-limit”
I’ve followed the docs on this here and it works. I’ve tried it on a QFX5100
and it works as expected.
https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/configuring-mac-limiting.html
Sticky MAC which works:
https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/understanding_and_using_persistent_mac_learning.html
Reviewing the feature on Juniper Feature Explorer:
https://apps.juniper.net/feature-explorer/feature/7368?fn=MAC%20limit,%20MAC%20move%20limit,%20and%20persistent%20MAC%20learning%20with%20EVPN-VXLAN
This says that I need Junos OS Evolved 24.4R1 or Junos OS Evolved 23.4R1, and
I’ve tried both 23.4R2 and 24.4R1
bd at QFX7# run show version
Hostname: QFX7
Model: qfx5130-48c
Junos: 24.4R1-S2.8-EVO
Yocto: 4.0.20
Linux Kernel: 5.15.142-10.22.33.14-yocto-standard-juniper-12583-g6c6fc3aaaea8
JUNOS-EVO OS 64-bit [junos-evo-install-qfx-ms-x86-64-24.4R1-S2.8-EVO]
Trying to set this at the switch level gives that it’s not found, but I can
set it and it complains in the config that it’s no supported. I’ve tried to do
the same at the default routing instance level and have the same results.
bd at QFX7# set routing-instances MAC-VRF switch-options mac-
^
'mac-' is ambiguous.
Possible completions:
> mac-ip-table-size Size of MAC+IP bindings table
> mac-move-limit Number of MAC movements allowed on this VLAN
> mac-notification MAC notification options
[edit]
I’ve tried the same on a QFX5100 and it works just fine.
bd at QFX5100#set switch-options interface et-0/0/48 interface-mac-limit 16 packet-action drop-and-log
I do have the mac-ip-table-size, but thats for MAC to IP mappings, not MACs.
Setting this has no effect in testing.
I suppose I could limit the type 2 routes in BGP for this, but that’s not
perfect and will cause problems. It’s also not per VLAN, but per routing
instance.
I thought this may be related to the PFE profile, and tried to modify that,
but that had no effect. This seems like a very basic thing to implement which
every switch since Juniper moved off of foundry.
--
Bryan Fields
727-409-1194 - Voice
http://bryanfields.net
More information about the juniper-nsp
mailing list