Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Security Services Administration Guide MAC Limiting and Move Limiting MAC Limiting and Move Limiting Configurations and Examples

Security Services Administration Guide

keyboard_arrow_up
close
keyboard_arrow_left
Security Services Administration Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Configuring MAC Limiting

date_range 24-Nov-23
arrow_backward
arrow_forward

Configuring MAC Limiting (ELS)

This topic describes the different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the device.

Note:

The tasks presented in this section uses Junos OS for EX Series switches, QFX3500 and QFX3600 switches, and PTX Series routers that support the Enhanced Layer 2 Software (ELS) configuration style. See Using the Enhanced Layer 2 Software CLI for more information about ELS configurations.

The different ways of setting a MAC limit are described in the following sections:

Limiting the Number of MAC Addresses Learned by an Interface

Note:

On PTX Series routers, you can limit the number of MAC addresses learned by an interface only.

To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface.

Set the MAC limit on an interface, and specify an action that the device takes after the specified limit is exceeded.
If you want to set the MAC limit on an interface that is part of the default routing instance:
content_copy zoom_out_map
[edit switch-options]
user@switch# set interface interface-name interface-mac-limit limit packet-action action
If you want to set the MAC limit on an interface that is part of a routing instance:
content_copy zoom_out_map
[edit routing-instances]
user@switch# set routing-instance-name switch-options interface interface-name interface-mac-limit limit
If you want to set the MAC limit on all interfaces that are part of the default routing instance:
content_copy zoom_out_map
[edit switch-options]
user@switch# set interface-mac-limit limit
If you want to set the MAC limit on all interfaces that are part of a routing instance:
content_copy zoom_out_map
[edit routing-instances]
user@switch# set routing-instance-name switch-options interface-mac-limit limit

After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.

Limiting the Number of MAC Addresses Learned by a VLAN

To limit the number of MAC addresses learned by a VLAN, perform the following steps:

Set the maximum number of MAC addresses that can be learned by a VLAN, and specify an action that the device takes after the specified limit is exceeded:
content_copy zoom_out_map
[edit vlans]
user@switch# set vlan-name switch-options mac-table-size limit packet-action action

Limiting the Number of MAC Addresses Learned by an Interface in a VLAN

To limit the number of MAC addresses learned by an interface in a VLAN, perform the following steps:

  1. Set the maximum number of MAC addresses that can be learned by an interface in a VLAN, and specify an action that the device takes after the specified limit is exceeded:
    content_copy zoom_out_map
    [edit vlans]
user@switch# set vlan-name switch-options interface-mac-limit limit packet-action action
  2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the VLAN, and specify an action that the device takes after the specified limit is exceeded:
    Note:

    If you specify a MAC limit and packet action for all interfaces in the VLAN and a specific interface in the VLAN, the MAC limit and packet action specified at the specific interface level takes precedence. Also, at the VLAN interface level, only the drop and drop-and-log options are supported.

    content_copy zoom_out_map
    [edit vlans]
user@switch# set vlan-name switch-options interface interface-name interface-mac-limit limit packet-action action
    content_copy zoom_out_map
    [edit vlans]
user@switch# set vlan-name switch-options interface-mac-limit limit packet-action action

    After you set new MAC limits for a VLAN by using the mac-table-size statement or for interfaces associated with a VLAN by using the interface-mac-limit statement, the system clears the corresponding existing entries in the MAC address forwarding table.

    Note:

    On a QFX Series Virtual Chassis, if you include the shutdown option at the [edit vlans vlan-name switch-options interface interface-name interface-mac-limit packet-action] hierarchy level and issue the commit operation, the system generates a commit error. The system does not generate an error if you include the shutdown option at the [edit switch-options interface interface-name interface-mac-limit packet-action] hierarchy level.

Configuring MAC Limiting (non-ELS)

This task uses Junos OS for EX Series switches and QFX3500 and QFX3600 switches that does not support the Enhanced Layer 2 Software (ELS) configuration style.

This topic describes various ways of configuring a limitation on MAC addresses in packets that are received and forwarded by the switch.

Before you can change a MAC limit that was previously set for an interface or a VLAN, you must first clear existing entries in the MAC address forwarding table that correspond to the change you want to make. Thus, to change the limit on an interface, first clear the MAC address forwarding table entries for that interface. To change the limit on all interfaces and VLANs, clear all MAC address forwarding table entries. To change the limit on a VLAN, clear the MAC address forwarding table entries for that VLAN.

To clear MAC addresses from the forwarding table:

  • Clear MAC address entries from a specific interface (here, the interface is ge-0/0/1) in the forwarding table:

    content_copy zoom_out_map
    user@switch> clear ethernet-switching-table interface ge-0/0/1

  • Clear all MAC address entries in the forwarding table:

    content_copy zoom_out_map
    user@switch>clear ethernet-switching-table

  • Clear MAC address entries from a specific VLAN (here, the VLAN is vlan-abc):

    content_copy zoom_out_map
    user@switch> clear ethernet-switching-table vlan vlan-abc

The different ways of setting a MAC limit are described in the following sections:

Limiting the Number of MAC Addresses That Can be Learned on Interfaces

To configure MAC limiting for port security by setting a maximum number of MAC addresses that can be learned on interfaces.

  • Apply the MAC limit on a single interface (here, the interface is ge-0/0/1):
    content_copy zoom_out_map
    [edit ethernet-switching-options secure-access-port]
user@switch# set interface ge-0/0/1 mac-limit 10

    When no action is specified for configuring the MAC limit on an interface, the device performs the default action drop if the limit is exceeded.

  • Apply the MAC limit on a single access interface, on the basis of its membership within a specific VLAN (here, the interface is ge-0/0/1 and the VLAN is v1.
    content_copy zoom_out_map
    [edit ethernet-switching-options secure-access-port]
user@switch# set interface ge–0/0/1 vlan v1 mac-limit 5

    With this type of configuration, the device drops any additional packets if the limit is exceeded, and also logs a message.

  • Apply the limit to all access interfaces:
    content_copy zoom_out_map
    [edit ethernet-switching-options secure-access-port]
user@switch# set interface all mac-limit 10

    When no action is specified for configuring the MAC limit on all interfaces, the device performs the default action drop if the limit is exceeded:

Specifying MAC Addresses That Are Allowed

You must clear existing entries in the MAC address forwarding table prior to changing the MAC address limit.

To configure MAC limiting for port security by specifying allowed MAC addresses:

  • On a single interface (here, the interface is ge-0/0/2):
    content_copy zoom_out_map
    [edit ethernet-switching-options secure-access-port]
user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface ge–0/0/2 allowed-mac 00:05:85:3A:82:83
  • On all interfaces:
    content_copy zoom_out_map
    [edit ethernet-switching-options secure-access-port]
user@switch#set interface all allowed-mac 00:05:85:3A:82:80
user@switch#set interface all allowed-mac 00:05:85:3A:82:81
user@switch#set interface all allowed-mac 00:05:85:3A:82:83

Configuring MAC Limiting for VLANs

You must clear existing entries in the MAC address forwarding table before you can change the MAC address limit.

MAC limiting for a VLAN restricts the MAC addresses that can be learned for that VLAN, but does not drop the packet. Therefore, setting the MAC limit on a VLAN is not considered a port-security feature.

Note:

The configuration of specific allowed MAC addresses does not apply to VLANs.

To configure MAC limiting for a VLAN using the CLI:

Limit the number of dynamic MAC addresses on a VLAN:

If the MAC limit on a specific VLAN is exceeded, the device logs the MAC addresses of packets that cause the limit to be exceeded. No other action is possible.

content_copy zoom_out_map
[edit vlans]
user@switch# set vlan-abc mac-limit 20
Note:

When you are applying a MAC limit on a VLAN, do not set mac-limit to 1 for a VLAN composed of Routed VLAN Interfaces (RVIs) or a VLAN composed of aggregated Ethernet bundles using LACP. In these cases, setting the mac-limit to 1 prevents the device from learning MAC addresses other than the automatic addresses:

  • For RVIs, the first MAC address inserted into the forwarding database is the MAC address of the RVI.

  • For aggregated Ethernet bundles using LACP, the first MAC address inserted into the forwarding database in the forwarding table is the source address of the protocol packet.

If the VLAN is composed of regular access or trunk interfaces, you can set the mac-limit to 1 if you choose to do so.

See Also

Configuring MAC Limiting on MX Series Routers

This topic describes the different ways of configuring a limitation on MAC addresses in packets that are received and forwarded by MX Series routers.

Limiting the Number of MAC Addresses Learned by an Interface

To secure a port, you can set the maximum number of MAC addresses that can be learned by an interface.

MX Series routers support only the drop action. If the action is not specified, the router performs the default action drop if the limit is exceeded.

Set the MAC limit on an interface, and specify the action that the router takes after the specified limit is exceeded.
If you want to set the MAC limit on an interface that is part of the default routing instance:
content_copy zoom_out_map
[edit switch-options]
user@switch# set interface interface-name interface-mac-limit limit packet-action action
If you want to set the MAC limit on an interface that is part of a routing instance:
content_copy zoom_out_map
[edit routing-instances]
user@switch# set routing-instance-name switch-options interface interface-name interface-mac-limit limit
If you want to set the MAC limit on all interfaces that are part of the default routing instance:
content_copy zoom_out_map
[edit switch-options]
user@switch# set interface-mac-limit limit
If you want to set the MAC limit on all interfaces that are part of a routing instance:
content_copy zoom_out_map
[edit routing-instances]
user@switch# set routing-instance-name switch-options interface-mac-limit limit

After you set a new MAC limit for the interface, the system clears existing entries in the MAC address forwarding table associated with the interface.

Limiting the Number of MAC Addresses Learned by a Bridge Domain

To limit the number of MAC addresses learned by a bridge domain, perform the following steps:

Set the maximum number of MAC addresses that can be learned by a bridge domain, and specify an action that the device takes after the specified limit is exceeded:
content_copy zoom_out_map
[edit bridge-domains]
user@switch# set bridge-domain-name bridge-options mac-table-size limit packet-action action

Limiting the Number of MAC Addresses Learned by an Interface in a Bridge Domain

To limit the number of MAC addresses learned by an interface in a bridge domain, perform the following steps:

  1. Set the maximum number of MAC addresses that can be learned by an interface in a bridge domain, and specify an action that the device takes after the specified limit is exceeded:
    content_copy zoom_out_map
    [edit bridge-domains]
user@switch# set bridge-domain-name bridge-options interface-mac-limit limit packet-action action
  2. Set the maximum number of MAC addresses that can be learned by one or all interfaces in the bridge domain, and specify an action that the device takes after the specified limit is exceeded:
    Note:

    If you specify a MAC limit and packet action for all interfaces in the bridge domain and a specific interface in the bridge domain, the MAC limit and packet action specified at the specific interface level takes precedence. Also, at the bridge domain interface level, only the drop option is supported.

    content_copy zoom_out_map
    [edit bridge-domains]
user@switch# set bridge-domain-name bridge-options interface interface-name interface-mac-limit limit packet-action action
    content_copy zoom_out_map
    [edit bridge-domains]
user@switch# set bridge-domain-name bridge-options interface-mac-limit limit packet-action action

Configuring MAC Limiting (J-Web Procedure)

MAC limiting protects against flooding of the Ethernet switching table on an EX Series switch. MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).

Junos OS provides two MAC limiting methods:

  • Maximum number of dynamic MAC addresses allowed per interface—If the limit is exceeded, incoming packets with new MAC addresses are dropped.

  • Specific “allowed” MAC addresses for the access interface—Any MAC address that is not in the list of configured addresses is not learned.

You configure MAC limiting for each interface, not for each VLAN. You can specify the maximum number of dynamic MAC addresses that can be learned on a single Layer 2 access interface or on all Layer 2 access interfaces. The default action that the switch will take if that maximum number is exceeded is drop—drop the packet and generate an alarm, an SNMP trap, or a system log entry.

To enable MAC limiting on one or more interfaces using the J-Web interface:

  1. Select Configure>Security>Port Security.
  2. Select one or more interfaces from the Interface List.
  3. Click the Edit button. If a message appears asking whether you want to enable port security, click Yes.
  4. To set a dynamic MAC limit:

    1. Type a limit value in the MAC Limit box.

    2. Select an action from the MAC Limit Action box (optional). The switch takes this action when the MAC limit is exceeded. If you do not select an action, the switch applies the default action, drop.

      • Log—Generate a system log entry.

      • Drop—Drop the packets and generate a system log entry. (Default)

      • Shutdown—Shut down the VLAN and generate a system log entry. You can mitigate the effect of this option by configuring the switch for autorecovery from the disabled state and specifying a disable timeout value.

      • None— No action to be taken.

  5. To add allowed MAC addresses:

    1. Click Add.

    2. Type the allowed MAC address and click OK.

    Repeat this step to add more allowed MAC addresses.

  6. Click OK when you have finished setting MAC limits.
  7. Click OK after the configuration has been successfully delivered.
Note:

You can enable or disable port security on the switch at any time by clicking the Activate or Deactivate button on the Port Security Configuration page. If security status is shown as Disabled when you try to edit settings for any VLANs or interfaces (ports), a message asking whether you want to enable port security appears.

See Also

arrow_backward PREVIOUS Understanding and Using Persistent MAC Learning
NEXT arrow_forward Example: Configuring MAC Limiting
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top