Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches

MAC Limiting for Port Security by Limiting the Number of MAC Addresses That Can be Learned on Interfaces

One method to enhance port security is to set the maximum number of MAC addresses that can be learned (added to the Ethernet switching table) on any of the following:

• A specific access interface (port)
• All access interfaces
• A specific access interface on the basis of its membership within a specific virtual LAN (VLAN membership MAC limit)

Note: Static MAC addresses do not count toward the limit you specify for dynamic MAC addresses. (For information about configuring static MAC addresses, see Adding a Static MAC Address Entry to the Ethernet Switching Table).

When you are configuring the maximum MAC limit for an interface, you can choose the action that occurs on incoming packets when the MAC limit is exceeded. See Actions for MAC Limiting and MAC Move Limiting.

The default action when the limit is exceeded is that the incoming packets with new MAC addresses are dropped. If you have set a MAC limit to apply to all interfaces on the switch, you can override that setting for a particular interface by specifying action none for that interface. See Setting the none Action on an Interface to Override a MAC Limit Applied to All Interfaces (CLI Procedure).

If you are configuring the maximum MAC limit for a specific interface as a member of a specific VLAN, incoming packets with new MAC addresses that cause the VLAN membership MAC limit to be exceeded are dropped and the event is logged. No other action can be configured.

MAC Limiting for Port Security by Specifying MAC Addresses That Are Allowed to Access Interfaces

Another method to enhance port security is to configure specific MAC addresses as allowed MAC addresses for a specific access interface or for all access interfaces. Any MAC address that is not in the list of the configured addresses is not learned and the switch logs a message.

Note: If you do not want the switch to log messages received for invalid MAC addresses on an interface for which you have configured for specific MAC addresses as allowed, you can disable the logging by configuring the no-allowed-mac-log statement.

Allowed MAC binds MAC addresses to a VLAN so that the address does not get registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

MAC Move Limiting for Port Security by Monitoring MAC Address Moves within VLANs

MAC move limiting causes the switch to limit and track the frequency with which a MAC address can move to a new interface (port). It can help prevent MAC spoofing, and it can also detect and prevent loops.

If a MAC address moves more than the configured number of times within one second, the switch performs the configured action. You can configure MAC move limiting to apply to all VLANs or to a specific VLAN.

Actions for MAC Limiting and MAC Move Limiting

You can choose to have one of the following actions performed when the MAC limit is exceeded on an interface or on all interfaces; or when the MAC move limit is exceeded on a VLAN:

Note: If you are configuring the maximum MAC limit for a specific interface as a member of a specific VLAN (VLAN membership MAC limit), incoming packets with new MAC addresses that cause the VLAN membership MAC limit to be exceeded are dropped and the event is logged. No other action can be configured.

• drop—Drop the packet and generate a system log entry.
• log—Do not drop the packet, but generate a system log entry.
• none—Take no action.
• shutdown—Disable the interface and generate a system log entry. If you have configured the switch with the port-error-disable statement, the disabled interface or VLAN recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.

See descriptions of results of these various action settings in Verifying That MAC Limiting Is Working Correctly.

Viewing the MAC Addresses That Exceed the MAC Limit or MAC Move Limit

If you have configured the port-error-disable statement, you can use the output of the show ethernet-switching interfaces command to view which interfaces are temporarily disabled due because they caused the MAC limit or MAC move limit to be exceeded.

The log messages indicate that the MAC limit or MAC move limit has been exceeded and include a list of the MAC addresses that have exceeded the limit. See Troubleshooting Port Security for details.