OcNOS DC : Virtual Extensible Local Area Network Guide : VxLAN - Ethernet Virtual Private Network : MAC LIMIT ENFORCEMENT AT EVI AND AC FOR EVPN-VxLAN
MAC LIMIT ENFORCEMENT AT EVI AND AC FOR EVPN-VxLAN
This chapter includes step-by-step configurations for EVPN MAC Limit Enforcement at EVI and AC for EVPN-VxLAN.
Overview
The MAC Limit feature in EVPN-VxLAN provides a mechanism to control the number of MAC addresses learned at both the Ethernet Virtual Private Network Instance (EVI) level and the Attachment Circuit (AC) level. This feature enhances network efficiency and security by preventing MAC table overflow and mitigating potential denial-of- service attacks in EVPN deployments using VxLAN as the overlay, supporting Leaf and Spine CLOS fabric.
This document outlines the topology, configuration steps, and Command Line Interface (CLI) details for implementing MAC limit enforcement in EVPN-VxLAN environments at the EVI and AC levels.
Feature Characteristics
MAC Limit Scope: Limits can be enforced at the EVI level (aggregate MACs across all ACs, BGP-learned MACs, and static MACs) or at the individual AC level (MACs learned from SERVER to LEAF).
Actions on Limit Breach: Supports logging and error-disabling for AC-level limits; only logging is supported for EVI-level limits.
Threshold Watermarks: High and low watermark thresholds trigger syslog messages when MAC counts exceed or fall below configured percentages (default high watermark: 90%).
Error Disable Recovery: Configurable recovery timer to automatically re-enable error-disabled ACs after a specified period.
Overlay Specific: The feature is tailored for VxLAN overlay in EVPN deployments.
Software-Based: When the MAC limit is reached, further MAC learning is stopped, but flooding continues.
Benefits
Prevents MAC Table Overflow: Enhances system stability in EVPN-VxLAN environments.
Granular Control: Allows MAC learning limits at both EVI and AC levels.
Monitoring Support: Provides logging for tracking and troubleshooting.
Automatic Recovery: Enables configurable timers for recovery from error-disabled states.
Enhanced Security: Limits MAC address learning to improve security in multi-tenant EVPN-VxLAN setups.
Prerequisites
Configure EVPN with VxLAN as the overlay protocol.
Interfaces should be configured as switchports with VLAN encapsulation.
Topology
The EVPN MAC Limit feature can be deployed in any standard EVPN-VxLAN topology with SERVER-LEAF connectivity.
 
VXLAN EVPN MAC limit enforcement
Configuration
The following configuration steps demonstrate how to enable and configure MAC limit enforcement on LEAF1 for EVPN-VxLAN.
EVPN prerequisite configurations:
LEAF1
1. Enable VxLAN to allow configuration of overlay services.
nvo vxlan enable
2. Configure global VTEP IP address.
nvo vxlan vtep-ip-global 1.1.1.1
3. Configure MAC VRF.
mac vrf vxlan_l2_elan_sh
description vxlan_l2_elan_sh
rd 1.1.1.1:100
route-target both 100:100
4. Configure VxLAN instance network identifier.
nvo vxlan id 50 ingress-replication inner-vid-disabled
vxlan host-reachability-protocol evpn-bgp vxlan_l2_elan_sh
5. Map each port-VLAN sub-interface to the VxLAN network identifier.
nvo vxlan access-if port-vlan xe11 50
map vnid 50
nvo vxlan access-if port-vlan xe11 51
map vnid 50
nvo vxlan access-if port-vlan xe11 52
map vnid 50
LEAF2
1. Enable VxLAN to allow configuration of overlay services.
nvo vxlan enable
2. Configure global VTEP IP address.
nvo vxlan vtep-ip-global 6.6.6.6
3. Configure MAC VRF.
mac vrf vxlan_l2_elan_sh2
description vrf vxlan_l2_elan_sh2
rd 6.6.6.6:100
route-target both 100:100
4. Configure VxLAN instance network identifier.
nvo vxlan id 50 ingress-replication inner-vid-disabled
vxlan host-reachability-protocol evpn-bgp vxlan_l2_elan_sh2
5. Map each port-VLAN sub-interface to the VxLAN network identifier.
nvo vxlan access-if port-vlan xe11 50
map vnid 50
EVPN-MAC-Limit profile configuration:
LEAF1
Configure mac-limit profile with learning-limit and with default values of high water-mark, low water-mark and action and map it to AC.
mac-limit-profile SH1
learning-limit 10
nvo vxlan access-if port-vlan xe11 50
map vnid 50
learning limit SH1
Configuration snapshot:
LEAF1
hostname LEAF1
!
nvo vxlan enable
!
evpn vxlan multihoming enable
!
mac vrf vxlan_l2_elan_sh
description vxlan_l2_elan_sh
rd 1.1.1.1:100
route-target both 100:100
!
nvo vxlan vtep-ip-global 1.1.1.1
!
nvo vxlan id 50 ingress-replication inner-vid-disabled
vxlan host-reachability-protocol evpn-bgp vxlan_l2_elan_sh
!
interface lo
ip address 127.0.0.1/8
ip address 1.1.1.1/32 secondary
ipv6 address ::1/128
!
interface xe1
load-interval 30
ip address 11.1.1.1/24
!
interface xe11
switchport
load-interval 30
!
router ospf 1
ospf router-id 1.1.1.1
network 1.1.1.1/32 area 0.0.0.0
network 11.1.1.0/24 area 0.0.0.0
!
router bgp 1
bgp router-id 1.1.1.1
neighbor 6.6.6.6 remote-as 1
neighbor 6.6.6.6 update-source lo
!
address-family l2vpn evpn
neighbor 6.6.6.6 activate
exit-address-family
!
exit
!
nvo vxlan access-if port-vlan xe11 50
map vnid 50
learning limit SH1
!
nvo vxlan access-if port-vlan xe11 51
map vnid 50
!
nvo vxlan access-if port-vlan xe11 52
map vnid 50
!
 
SPINE:
hostname SPINE
!
interface ce1/3
load-interval 30
ip address 11.1.1.2/24
!
interface ce1/4
load-interval 30
ip address 17.1.1.2/24
!
interface lo
ip address 127.0.0.1/8
ip address 3.3.3.3/24
ipv6 address ::1/128
!
router ospf 1
ospf router-id 3.3.3.3
network 3.3.3.3/32 area 0.0.0.0
network 11.1.1.0/24 area 0.0.0.0
network 17.1.1.0/24 area 0.0.0.0
!
 
LEAF2
hostname LEAF2
!
nvo vxlan enable
!
mac vrf vxlan_l2_elan_sh2
description vrf vxlan_l2_elan_sh2
rd 6.6.6.6:100
route-target both 100:100
!
nvo vxlan vtep-ip-global 6.6.6.6
!
nvo vxlan id 50 ingress-replication inner-vid-disabled
vxlan host-reachability-protocol evpn-bgp vxlan_l2_elan_sh2
!
interface lo
ip address 127.0.0.1/8
ip address 6.6.6.6/32 secondary
ipv6 address ::1/128
!
interface xe1
load-interval 30
ip address 17.1.1.1/24
!
interface xe11
switchport
load-interval 30
!
router ospf 1
ospf router-id 6.6.6.6
network 6.6.6.6/32 area 0.0.0.0
network 17.1.1.0/24 area 0.0.0.0
!
router bgp 1
bgp router-id 6.6.6.6
neighbor 1.1.1.1 remote-as 1
neighbor 1.1.1.1 update-source lo
!
address-family l2vpn evpn
neighbor 1.1.1.1 activate
exit-address-family
!
exit
!
nvo vxlan access-if port-vlan xe11 50
map vnid 50
!
Validation
To verify MAC limit enforcement, send traffic with varying numbers of source MAC addresses and observe the system behavior.
LEAF1#show mac-limit profiles
Profile-Name Limit Action High-Watermark(%, v) Low-Watermark(%, v) Errdisable-timeout
======================================================================================================================
SH1 10 log-only 90, 9 70, 7
0
LEAF1#
Send Traffic with 10 Source MACs to LEAF1.
Generate traffic with 10 unique source MACs on xe11.
When the MAC count reaches the high watermark threshold (default 90% of 10 = 9 MACs), a syslog message is generated.
LEAF1#2025 Jun 14 04:45:19.450 : LEAF1 : HSL : CRITI : [EVPN_MAC_LIMIT_2]: VPN-ID 50: Mac limit for AC xe11, High threshold MAC count 9 with high watermark of 9
Send Traffic with 20 Source MACs.
Generate traffic with 20 unique source MACs, exceeding the learning limit of 10.
LEAF1#2025 Jun 14 04:46:30.610 : LEAF1 : HSL : CRITI : [EVPN_MAC_LIMIT_2]: VPN-ID 50: Mac limit for AC xe11, Exceeded MAC count 11 with learning limit of 10
Now stop the traffic and check for Low water logs during un learning.
2025 Jun 14 04:53:52.280 : LEAF1 : HSL : CRITI : [EVPN_MAC_LIMIT_2]: VPN-ID 50: Mac limit for AC xe11, Low threshold MAC count 6 with low watermark of 7
Now modifying the mac-limit profile with non default high water-mark, low water-mark and action as error disable:
mac-limit-profile SH1
learning-limit 10
action log-errdisable
high-watermark 80
low-watermark 70
nvo vxlan access-if port-vlan xe11 50
map vnid 50
learning limit SH1
 
LEAF1#show mac-limit profiles
Profile-Name Limit Action High-Watermark(%, v) Low-Watermark(%, v) Errdisable-timeout
======================================================================================================================
SH1 10 log-errdisable 80, 8 70, 7 0
LEAF1#
Send Traffic with 10 Source MACs to LEAF1.
Generate traffic with 10 unique source MACs on xe11.
When the MAC count reaches the high watermark threshold (default 90% of 10 = 9 MACs), a syslog message is generated.
2025 Jun 14 04:55:22.638 : LEAF1 : HSL : CRITI : [EVPN_MAC_LIMIT_2]: VPN-ID 50: Mac limit for AC xe11, High threshold MAC count 8 with high watermark of 8
Send Traffic with 20 Source MACs.
Generate traffic with 20 unique source MACs, exceeding the learning limit of 10 and check AC is going to error disable.
2025 Jun 14 04:55:22.639 : LEAF1 : HSL : CRITI : [EVPN_MAC_LIMIT_2]: VPN-ID 50: Mac limit for AC xe11, Exceeded MAC count 11 with learning limit of 10
2025 Jun 14 04:55:22.639 : LEAF1 : NSM : CRITI : [IFMGR_ERR_DISABLE_DOWN_2]: Attachment Circuit with the nvo access-interface xe11 50 on EVPN instance 50 errdisabled successfully due to EVPN-MAC-LIMIT. Configured error disable timeout 0
2025 Jun 14 04:55:22.652 : LEAF1 : HSL : CRITI : [EVPN_MAC_LIMIT_2]: VPN-ID 50: Mac limit for AC xe11, Low threshold MAC count 6 with low watermark of 7
LEAF1#show nvo vxlan access-if brief
 
Inner Admin Link
Interface Vlan vlan Ifindex Vnid status status
---------------------------------------------------------------
xe11 50 --- 0x7a120 50 up down(ED)
xe11 51 --- 0x7a122 50 up up
xe11 52 --- 0x7a123 50 up up
po100 100 --- 0x7a121 100 up up
 
Total number of entries are 4
LEAF1#
 
LEAF1#show interface brief xe11
 
Codes: ETH - Ethernet, LB - Loopback, AGG - Aggregate, MLAG - MLAG Aggregate
FR - Frame Relay, TUN -Tunnel, PBB - PBB Logical Port, VP - Virtual Port
CVP - Channelised Virtual Port, METH - Management Ethernet, UNK- Unknown
ED - ErrDisabled, PD - Protocol Down, AD - Admin Down, IA - InActive
PD(Min L/B) - Protocol Down Min-Links/Bandwidth
OTD - Object Tracking Down
DV - DDM Violation, NA - Not Applicable
NOM - No operational members, PVID - Port Vlan-id
Ctl - Control Port (Br-Breakout/Bu-Bundle)
HD - ESI Hold Timer Down
---------------------------------------------------------------------------------------------------------
Ethernet Type PVID Mode Status Reason Speed Port Ctl Br/Bu Loopbk
Interface Ch #
---------------------------------------------------------------------------------------------------------
xe11 ETH -- -- up none 10g -- No
No
LEAF1#
 
Note: Action as log-only, is applicable for both AC (attachment circuit) and vnid.
Note: Action as log-errdisable, is applicable only for AC (attachment circuit).
CLI Commands
This commands section describes the mac limit enforcement at EVI and AC for EVPN-VxLAN.
mac-limit-profile
Use this command to create a MAC limit profile to enforce Layer 2 MAC limits. Use the no form to delete the profile.
Command Syntax
mac-limit-profile <PROFILE-NAME>
[no] mac-limit-profile <PROFILE-NAME>
Parameters
<PROFILE NAME>
Name of the MAC limit profile
Default
None
Command Mode
Configure mode
Applicability
This command is introduced in OcNOS/Version/6.6.1.
Example
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#learning-limit 100
OcNOS(config-mac-limit-profile)#high-watermark 80
OcNOS(config-mac-limit-profile)#low-watermark 40
OcNOS(config-mac-limit-profile)#action log-errdisable
OcNOS(config-mac-limit-profile)#errdisable-timeout 60
OcNOS(config-mac-limit-profile)#commit
 
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#no mac-limit-profile profile_1
OcNOS(config)#commit
learning-limit
Use this command to set the learning limit. Use the no form to reset to the default limit
Command Syntax
learning-limit <1-131071>
[no] learning-limit
Parameters
<1-131071>
Maximum number of MAC addresses (1 to 131071).
Default
131071
Command Mode
MAC-LIMIT-MODE
Applicability
This command is introduced in OcNOS/Version/6.6.1.
Example
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#learning-limit 100
OcNOS(config-mac-limit-profile)#commit
 
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#no learning-limit
OcNOS(config-mac-limit-profile)#commit
action
Use this command to set the action type after the MAC limit is reached. If set to log-only, only logs are generated. If set to log-errdisable, both logs and error-disable actions take effect. Use the no form to reset to the default action.
Command Syntax
action (log-only | log-errdisable)
[no] action
Parameters
log-only
Maximum number of MAC addresses (1 to 131071)
log-errdisable
Generates logs and error-disables the interface
Default
log-only
Command Mode
MAC-LIMIT-MODE
Applicability
This command is introduced in OcNOS/Version/6.6.1.
Example
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#action log-errdisable
OcNOS(config-mac-limit-profile)#commit
 
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#no action
OcNOS(config-mac-limit-profile)#commit
high-watermark
Use this command to set the high-watermark percentage before the MAC limit is reached. Once the high watermark is reached, an operator log is generated. Use the no form to reset to the default.
Command Syntax
high-watermark <1-100>
[no] high-watermark
Parameters
<1-100>
Percentage of the MAC limit (1 to 100)
Default
90
Command Mode
MAC-LIMIT-MODE
Applicability
This command is introduced in OcNOS/Version/6.6.1.
Example
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#high-watermark 80
OcNOS(config-mac-limit-profile)#commit
 
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#no high-watermark
OcNOS(config-mac-limit-profile)#commit
low-watermark
Use this command to set the low watermark percentage. Once the low watermark is reached, an operator log is generated. Use the no form to reset to the default.
Command Syntax
low-watermark <1-100>
[no] low-watermark
Parameters
<1-100>
Percentage of the MAC limit (1 to 100)
Default
70
Command Mode
MAC-LIMIT-MODE
Applicability
This command is introduced in OcNOS/Version/6.6.1.
Example
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#low-watermark 40
OcNOS(config-mac-limit-profile)#commit
 
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#no low-watermark
OcNOS(config-mac-limit-profile)#commit
errdisable-timeout
Use this command to set the error-disable timeout value in seconds. Once error-disable occurs, this is the duration for which the instance will be operationally shut before being restored. Use the no form to reset to the default.
Command Syntax
errdisable-timeout <0-86400>
[no] errdisable-timeout
Parameters
<0-86400>
Timeout duration in seconds (0 to 86400). A value of 0 disables automatic recovery.
Default
0
Command Mode
MAC-LIMIT-MODE
Applicability
This command is introduced in OcNOS/Version/6.6.1.
Example
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#low-watermark 40
OcNOS(config-mac-limit-profile)#commit
 
OcNOS#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
OcNOS(config)#mac-limit-profile profile_1
OcNOS(config-mac-limit-profile)#no low-watermark
OcNOS(config-mac-limit-profile)#commit
learning limit
Use this command to associate a MAC limit profile with an EVPN-VxLAN instance or access interface. Use the no form to disassociate the profile.
Command Syntax
learning limit <PROFILE-NAME>
[no] learning limit
Parameters
<PROFILE-NAME>
Name of the MAC limit profile to apply
Default
None
Command Mode
EVPN-VXLAN-MODE, ACC-IF-EVPN-MODE
Applicability
This command is introduced in OcNOS/Version/6.6.1.
Example
Configure an EVPN-VXLAN EVI with a mac-limit-profile
LEAF1#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEAF1(config)#mac-limit-profile SH1
LEAF1(config-mac-limit-profile)#learning-limit 10
LEAF1(config-mac-limit-profile)#commit
LEAF1(config-mac-limit-profile)#
 
LEAF1#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEAF1(config)#
LEAF1(config)#nvo vxlan id 50 ingress-replication
LEAF1(config-nvo)#learning limit SH1
LEAF1(config-nvo)#commit
LEAF1(config-nvo)#end
LEAF1#
LEAF1#
LEAF1#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEAF1(config)#
LEAF1(config)#nvo vxlan id 50 ingress-replication
LEAF1(config-nvo)#no learning limit
LEAF1(config-nvo)#commit
LEAF1(config-nvo)#end
LEAF1#
 
Configure an EVPN-VxLAN access interface with a mac-limit-profile
LEAF1#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEAF1(config)#mac-limit-profile SH1
LEAF1(config-mac-limit-profile)#learning-limit 10
LEAF1(config-mac-limit-profile)#action log-errdisable
LEAF1(config-mac-limit-profile)#high-watermark 80
LEAF1(config-mac-limit-profile)#low-watermark 70
LEAF1(config-mac-limit-profile)#
LEAF1(config-mac-limit-profile)#commit
 
LEAF1#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEAF1(config)#nvo vxlan access-if port-vlan xe11 50
LEAF1(config-nvo-acc-if)#learning limit SH1
LEAF1(config-nvo-acc-if)#commit
 
LEAF1#config t
Enter configuration commands, one per line. End with CNTL/Z.
LEAF1(config)#nvo vxlan access-if port-vlan xe11 50
LEAF1(config-nvo-acc-if)#no learning limit
LEAF1(config-nvo-acc-if)#commit