Supported Platforms
Related Documentation
- EX Series
- Configuring MAC Move Limiting (J-Web Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Verifying That MAC Move Limiting Is Working Correctly
- Monitoring Port Security
- EX, M, MX, SRX Series
- clear ethernet-switching port-error
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- Understanding MAC Limiting and MAC Move Limiting for Port Security
- clear ethernet-switching port-error
- port-error-disable
- secure-access-port
Configuring MAC Move Limiting (CLI Procedure)
When MAC move limiting is configured, MAC address movements are tracked by the switch and, if a MAC address changes more than the configured number of times within 1 second, the changes to MAC addresses are dropped, logged, ignored, or the interface is shut down.
 | Note: Although you enable this feature on VLANs, the MAC move limitation pertains to the number of movements for each individual MAC address rather than the total number of MAC address moves in the VLAN. For example, If the MAC move limit is set to 1, the switch allows an unlimited number of MAC address movements within the VLAN as long as the same MAC address does not change more than once. |
You configure MAC move limiting per VLAN, not per interface (port). In the default configuration, the number of MAC moves permitted is unlimited.
You can choose to have one of the following actions performed when the MAC move limit is exceeded:
- drop—Drop the packet and generate a system log entry. This is the default.
- log—Do not drop the packet but generate a system log entry.
- none—Take no action.
- shutdown—Disable the interfaces in the VLAN and generate a system log entry. If you have configured the switch with the port-error-disable statement, the disabled interfaces recover automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.
To configure a MAC move limit for MAC addresses within a specific VLAN or for MAC addresses within all VLANs, using the CLI:
- On a single VLAN: To limit the number of MAC address movements
that can be made by an individual MAC address within the VLAN employee-vlan, set a MAC move limit of 5:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee-vlan mac-move-limit 5The action is not specified, so the switch performs the default action drop if it tracks that an individual MAC address within the employee-vlan has moved more than 5 times within one second.
- On all VLANs: To limit the number of MAC movements that
can be made by individual MAC addresses within all VLANs, set a MAC
move limit of 5:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all mac-move-limit 5The action is not specified, so the switch performs the default action drop if it tracks that an individual MAC address within any of the VLANs has moved more than 5 times within 1 second.
Related Documentation
- EX Series
- Configuring MAC Move Limiting (J-Web Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Verifying That MAC Move Limiting Is Working Correctly
- Monitoring Port Security
- EX, M, MX, SRX Series
- clear ethernet-switching port-error
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- Understanding MAC Limiting and MAC Move Limiting for Port Security
- clear ethernet-switching port-error
- port-error-disable
- secure-access-port
Published: 2014-07-23
Supported Platforms
Related Documentation
- EX Series
- Configuring MAC Move Limiting (J-Web Procedure)
- Configuring Autorecovery From the Disabled State on Secure or Storm Control Interfaces (CLI Procedure)
- Understanding MAC Limiting and MAC Move Limiting for Port Security on EX Series Switches
- EX Series, QFabric System, QFX Series standalone switches
- Example: Configuring Basic Port Security Features
- Verifying That MAC Move Limiting Is Working Correctly
- Monitoring Port Security
- EX, M, MX, SRX Series
- clear ethernet-switching port-error
- EX, SRX Series
- secure-access-port
- QFabric System, QFX Series standalone switches
- Understanding MAC Limiting and MAC Move Limiting for Port Security
- clear ethernet-switching port-error
- port-error-disable
- secure-access-port
