Supported Platforms
Related Documentation
- EX Series
- allowed-mac
- clear ethernet-switching table
- Configuring MAC Limiting (CLI Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- EX, QFX Series
- Example: Configuring Basic Port Security Features
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
mac-limit (Access Port Security)
Syntax
Hierarchy Level
Release Information
Statement introduced in Junos OS Release 9.0 for EX Series switches.
Description
Set a limit on the number of MAC addresses that can be added to the Ethernet switching table.
- [edit ethernet-switching options secure-access-port interface]—Set the MAC address learning limit for a specific interface, for a range of interfaces, or for all interfaces on the switch.
- [edit ethernet-switching options secure-access-port interface interface-name vlan vlan-name]—Set
the MAC address learning limit for a specific interface as a member
of a specific VLAN (VLAN membership MAC limit).
Note: If you set the MAC address limit on a specific interface as a member of a specific VLAN (VLAN membership MAC limit), the switch drops any additional packets when the VLAN membership MAC limit is exceeded and logs the MAC addresses of those packets. You cannot specify a different action for this specific configuration. If a single interface belongs to more than one VLAN, you can set separate VLAN membership MAC limits for the same interface.
When you reset the number of MAC addresses, the MAC address table is not automatically cleared. Previous entries remain in the table after you reduce the number of addresses, so you should clear the forwarding table for the specified interface or MAC address. Use the clear ethernet-switching table command to clear the existing MAC addresses from the table.
Default
The default action is drop.
Options
action action—(Optional) Action to take when the MAC address limit for an interface or for all interfaces is exceeded:
- drop—Drop the packet and generate a system log entry.
- log—Do not drop the packet but generate a system log entry.
- none—No action.
- shutdown—Disable the interface and generate a system log entry. If you have configured the switch with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.
limit—Maximum number of MAC addresses.
Required Privilege Level
system—To view this statement in the configuration.
system–control—To add this statement to the
configuration.
Related Documentation
- EX Series
- allowed-mac
- clear ethernet-switching table
- Configuring MAC Limiting (CLI Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- EX, QFX Series
- Example: Configuring Basic Port Security Features
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
Published: 2012-12-10
Supported Platforms
Related Documentation
- EX Series
- allowed-mac
- clear ethernet-switching table
- Configuring MAC Limiting (CLI Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- EX, QFX Series
- Example: Configuring Basic Port Security Features
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
