Understanding Layer 2 Forwarding Tables on Switches, Routers and NFX Series Devices
You can configure Layer 2 MAC address and VLAN learning and forwarding properties in support of Layer 2 bridging. Unicast media access control [MAC] addresses are learned to avoid flooding the packets to all the ports in a VLAN. A source MAC entry is created in its source and destination MAC tables for each MAC address learned from packets received on ports that belong to the VLAN.
When you configure a VLAN, Layer 2 address learning is enabled by default. The VLAN learns unicast media access control [MAC] addresses to avoid flooding the packets to all the ports in the VLAN. Each VLAN creates a source MAC entry in its source and destination MAC tables for each source MAC address learned from packets received on the ports that belong to the VLAN.
Note:
Traffic is not flooded back onto the interface on which it was received. However, because this “split horizon” occurs at a late stage, the packet statistics displayed by commands such as
[edit chassis forwarding-options] user@switch# set custom-profile1 will include flood traffic.
You can optionally disable MAC learning either for the entire device or for a specific VLAN or logical interface. You can also configure the following Layer 2 learning and forwarding properties:
Timeout interval for MAC entries
Static MAC entries for logical interfaces only
Limit to the number of MAC addresses learned from a specific logical interface or from all the logical interfaces in a VLAN
Size of the MAC address table for the VLAN
MAC accounting for a VLAN
Understanding Layer 2 Forwarding Tables on Security Devices
The SRX Series device maintains forwarding tables that contain MAC addresses and associated interfaces for each Layer 2 VLAN. When a packet arrives with a new source MAC address in its frame header, the device adds the MAC address to its forwarding table and tracks the interface at which the packet arrived. The table also contains the corresponding interface through which the device can forward traffic for a particular MAC address.
If the destination MAC address of a packet is unknown to the device [that is, the destination MAC address in the packet does not have an entry in the forwarding table], the device duplicates the packet and floods it on all interfaces in the VLAN other than the interface on which the packet arrived. This is known as packet flooding and is the default behavior for the device to determine the outgoing interface for an unknown destination MAC address. Packet flooding is performed at two levels: packets are flooded to different zones as permitted by configured Layer 2 security policies, and packets are also flooded to different interfaces with the same VLAN identifier within the same zone. The device learns the forwarding interface for the MAC address when a reply with that MAC address arrives at one of its interfaces.
You can specify that the SRX Series device use ARP queries and traceroute requests [which are ICMP echo requests with the time-to-live values set to 1] instead of packet flooding to locate an unknown destination MAC address. This method is considered more secure than packet flooding because the device floods ARP queries and traceroute packets—not the initial packet—on all interfaces. When ARP or traceroute flooding is used, the original packet is dropped. The device broadcasts an ARP or ICMP query to all other devices on the same subnetwork, requesting the device at the specified destination IP address to send back a reply. Only the device with the specified IP address replies, which provides the requestor with the MAC address of the responder.
ARP allows the device to discover the destination MAC address for a unicast packet if the destination IP address is in the same subnetwork as the ingress IP address. [The ingress IP address refers to the IP address of the last device to send the packet to the device. The device might be the source that sent the packet or a router forwarding the packet.] Traceroute allows the device to discover the destination MAC address even if the destination IP address belongs to a device in a subnetwork beyond that of the ingress IP address.
When you enable ARP queries to locate an unknown destination MAC address, traceroute requests are also enabled. You can also optionally specify that traceroute requests not be used; however, the device can then discover destination MAC addresses for unicast packets only if the destination IP address is in the same subnetwork as the ingress IP address.
Whether you enable ARP queries and traceroute requests or ARP-only queries to locate unknown destination MAC addresses, the SRX Series device performs the following series of actions:
The device notes the destination MAC address in the initial packet. The device adds the source MAC address and its corresponding interface to its forwarding table, if they are not already there.
The device drops the initial packet.
The device generates an ARP query packet and optionally a traceroute packet and floods those packets out all interfaces except the interface on which the initial packet arrived.
ARP packets are sent out with the following field values:
Source IP address set to the IP address of the IRB
Destination IP address set to the destination IP address of the original packet
Source MAC address set to the MAC address of the IRB
Destination MAC address set to the broadcast MAC address [all
[edit chassis forwarding-options] user@switch# set custom-profile
2]
Traceroute [ICMP echo request or ping] packets are sent out with the following field values:
Source IP address set to the IP address of the original packet
Destination IP address set to the destination IP address of the original packet
Source MAC address set to the source MAC address of the original packet
Destination MAC address set to the destination MAC address of the original packet
Time-to-live [TTL] set to
[edit chassis forwarding-options] user@switch# set custom-profile
3
Combining the destination MAC address from the initial packet with the interface leading to that MAC address, the device adds a new entry to its forwarding table.
The device forwards all subsequent packets it receives for the destination MAC address out the correct interface to the destination.
Benefits of Unified Forwarding Tables
Traditionally, forwarding tables have been statically defined and have supported only a fixed number of entries for each type of address. The unified forwarding table [UFT] provides the following benefits:
Enables you to allocate forwarding table resources to optimize the memory available for different address types based on the needs of your network.
Enables you to allocate a higher percentage of memory for one type of address or another.
Using the Unified Forwarding Table to Optimize Address Storage
On the QFX5100, EX4600, EX4650, QFX5110, QFX5200, and QFX5120 switches, you can control the allocation of forwarding table memory available to store the following:
MAC addresses—In a Layer 2 environment, the switch learns new MAC addresses and stores them in a MAC address table
Layer 3 host entries–In a Layer 2 and Layer 3 environment, the switch learns which IP addresses are mapped to which MAC addresses; these key-value pairs are stored in the Layer 3 host table.
Longest prefix match [LPM] table entries—In a Layer 3 environment, the switch has a routing table and the most specific route has an entry in the forwarding table to associate a prefix or netmask to a next hop. Note, however, that all IPv4 /32 prefixes and IPv6 /128 prefixes are stored in the Layer 3 host table.
UFT essentially combines the three distinct forwarding tables to create one table with flexible resource allocation. You can select one of five forwarding table profiles that best meets your network needs. Each profile is configured with different maximum values for each type of address. For example, for a switch that handles a great deal of Layer 2 traffic, such as a virtualized network with many servers and virtualized machines, you would likely choose a profile that allocates a higher percentage of memory to MAC addresses. For a switch that operates in the core of a network, participates in an IP fabric, you probably want to maximize the number of routing table entries it can store. In this case, you would choose a profile that allocates a higher percentage of memory to longest match prefixes. The QFX5200 switch supports a custom profile that allows you to partition the four available shared memory banks with a total of 128,000 entries among MAC addresses, Layer 3 host addresses, and LPM prefixes.
Note:
Support for QFX5200 switches was introduced in Junos OS Release 15.1x53-D30. The QFX5200 switch is not supported on Junos OS Release 16.1R1.
Understanding the Allocation of MAC Addresses and Host Addresses
All five profiles are supported, each of which allocates different amounts of memory for Layer 2 or Layer 3 entries, enabling you choose one that best suits the needs of your network. The QFX5200 and QFX5210 switches, however, supports different maximum values for each profile from the other switches. For more information about the custom profile, see .
Note:
The default profile is
[edit chassis forwarding-options] user@switch# set custom-profile4, which allocates equal space for MAC Addresses and Layer 3 host addresses. On QFX5100, EX4600, QFX5110, and QFX5200 switches, the space is equal to 16,000 IPv4 entries for the LPM table, and on QFX5210 switches, the space is equal to 32,000 IPv4 entries for the LPM table. For the
[edit chassis forwarding-options] user@switch# set custom-profile5 the LPM table size is equal to 256,000 IPv4 entries.
Note:
Starting with Junos OS Release 18.1R1 on the QFX5210-64C switch, for all these profiles, except for the
[edit chassis forwarding-options] user@switch# set custom-profile5 the longest prefix match [LPM] table size is equal to 32,000 IPv4 entries.
Note:
Starting with Junos OS Release 18.3R1 on the QFX5120 and EX4650 switches, for all these profiles, except for the
[edit chassis forwarding-options] user@switch# set custom-profile5 the longest prefix match [LPM] table size is equal to 32,000 IPv4 entries.
Note:
On QFX5100, EX4600, EX4650, QFX5110, QFX5200, QFX5120, and QFX5210-64C switches, IPv4 and IPv6 host routes with ECMP next hops are stored in the host table.
Best Practice:
If the host or LPM table stores the maximum number of entries for any given type of entry, the entire shared table is full and is unable to accommodate any entries of any other type. Different entry types occupy different amounts of memory. For example, an IPv6 unicast address occupies twice as much memory as an IPv4 unicast address, and an IPv6 multicast address occupies four times as much memory as an IPv4 unicast address.
lists the profiles you can choose and the associated maximum values for the MAC address and host table entries on QFX5100 and EX4600 switches.
Table 1: Unified Forwarding Table Profiles on QFX5100 and EX4600 SwitchesProfile NameMAC TableHost Table [unicast and multicast addresses] MAC AddressesIPv4 unicastIPv6 unicastIPv4 [*, G]IPv4 [S, G]IPv6 [*, G]IPv6 [S, G]
[edit chassis forwarding-options] user@switch# set custom-profile8
288K
16K
8K
8K
8K
4K
4K
[edit chassis forwarding-options] user@switch# set custom-profile9
224K
80K
40K
40K
40K
20K
20K
[edit chassis forwarding-options] user@switch# set custom-profile4 [default]
160K
144K
72K
72K
72K
36K
36K
[edit chassis forwarding-options custom-profile] user@switch# set l2-entries num-banks 01
96K
208K
104K
104K
104K
52K
52K
[edit chassis forwarding-options] user@switch# set custom-profile5
32K
16K
8K
8K
8K
4K
4K
[edit chassis forwarding-options] user@switch# set custom-profile5with
[edit chassis forwarding-options custom-profile] user@switch# set l2-entries num-banks 04 option
32K
[stored in LPM table]
[stored in LPM table]
8K
8K
4K
4K
lists the profiles you can choose and the associated maximum values for the MAC address and host table entries on QFX5110 switches.
Table 2: Unified Forwarding Table Profiles on QFX5110 SwitchesProfile NameMAC TableHost Table [unicast and multicast addresses] MAC AddressesIPv4 unicastIPv6 unicastIPv4 [*, G]IPv4 [S, G]IPv6 [*, G]IPv6 [S, G]
[edit chassis forwarding-options] user@switch# set custom-profile8
288K
16K
8K
8K
8K
4K
4K
[edit chassis forwarding-options] user@switch# set custom-profile9
224K
80K
40K
40K
40K
20K
20K
[edit chassis forwarding-options] user@switch# set custom-profile4 [default]
160K
144K
72K
72K
72K
36K
36K
[edit chassis forwarding-options custom-profile] user@switch# set l2-entries num-banks 01
96K
208K
104K
104K
104K
52K
52K
lists the LPM table size variations for the QFX5110 switch depending on the prefix entries.
Table 3: LPM Table Size Variations on QFX5110 SwitchesProfile Name
Prefix Entries
num-65-127-prefixIPv4 LPM