Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos OS
This topic also exists in the following guides:
IS-IS Configuration GuideIS-IS for EX Series SwitchesIS-IS for EX9200 Switches
IS-IS Configuration Guide

keyboard_arrow_up
{ "lCode": "en_US", "lName": "English", "folder": "en_US" }
English
 

Configuring MAC Move Limiting (non-ELS)

date_range 30-Jan-19

When MAC move limiting is configured, MAC address movements are tracked by the switch and, if a MAC address changes more than the configured number of times within 1 second, the changes to MAC addresses are dropped, logged, ignored, or the interface is shut down.

Note

Although you enable this feature on VLANs, the MAC move limitation pertains to the number of movements for each individual MAC address rather than the total number of MAC address moves in the VLAN. For example, If the MAC move limit is set to 1, the switch allows an unlimited number of MAC address movements within the VLAN as long as the same MAC address does not change more than once.

You configure MAC move limiting per VLAN, not per interface (port). In the default configuration, the number of MAC moves permitted is unlimited.

You can choose to have one of the following actions performed when the MAC move limit is exceeded:

  • drop—Drop the packet and generate a system log entry. This is the default.

  • log—Do not drop the packet but generate a system log entry.

  • none—Take no action.

  • shutdown—Disable the interfaces in the VLAN and generate a system log entry. If you have configured the switch with the port-error-disable statement, the disabled interfaces recover automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.

To configure a MAC move limit for MAC addresses within a specific VLAN or for MAC addresses within all VLANs, using the CLI:

  • On a single VLAN: To limit the number of MAC address movements that can be made by an individual MAC address within the VLAN employee-vlan, set a MAC move limit of 5:

    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan employee-vlan mac-move-limit 5

    The action is not specified, so the switch performs the default action drop if it tracks that an individual MAC address within the employee-vlan has moved more than 5 times within one second.

  • On all VLANs: To limit the number of MAC movements that can be made by individual MAC addresses within all VLANs, set a MAC move limit of 5:

    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan all mac-move-limit 5

    The action is not specified, so the switch performs the default action drop if it tracks that an individual MAC address within any of the VLANs has moved more than 5 times within 1 second.

Related Documentation

external-footer-nav