Supported Platforms
Related Documentation
- EX Series, QFabric System, QFX Series standalone switches
- Port Security Overview
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- QFabric System, QFX Series standalone switches
- Understanding MAC Limiting and MAC Move Limiting for Port Security
- Overview of Access Port Protection
- Verifying That MAC Limiting Is Working Correctly
- Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
- no-allowed-mac-log
Configuring MAC Limiting
To configure MAC limiting on a specific interface or on all interfaces:
- To limit the number of dynamic MAC addresses, set a MAC
limit of 5.
The action is not specified, so the switch performs the default action drop if the limit is exceeded:
- On a single interface (here, the interface is xe-0/0/1):
[edit ethernet-switching-options secure-access-port]
user@switch# set interface xe-0/0/1 mac-limit (Access Port Security) 5 - On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all mac-limit 5
Caution: Do not set the MAC limit to 1. The first learned MAC address is often inserted into the forwarding database automatically. (For instance, the first MAC address inserted into the forwarding database for routed VLAN interfaces is the MAC address of the RVI. For Aggregated Ethernet bundles using LACP, the first MAC address inserted into the forwarding database in the forwarding table is the source address of the protocol packet.) The switch therefore fails to learn MAC addresses other than the automatic addresses when the MAC limit is set to 1, and this causes problems with MAC learning and forwarding.
- On a single interface (here, the interface is xe-0/0/1):
- To specify allowed MAC addresses:
- On a single interface (here, the interface is xe-0/0/2):
[edit ethernet-switching-options secure-access-port]
user@switch# set interface xe-0/0/2 allowed-mac 00:05:85:3A:82:80
user@switch# set interface xe-0/0/2 allowed-mac 00:05:85:3A:82:81
user@switch# set interface xe-0/0/2 allowed-mac 00:05:85:3A:82:83 - On all interfaces:
[edit ethernet-switching-options secure-access-port]
user@switch# set interface all allowed-mac 00:05:85:3A:82:80
user@switch# set interface all allowed-mac 00:05:85:3A:82:81
user@switch# set interface all allowed-mac 00:05:85:3A:82:83
- On a single interface (here, the interface is xe-0/0/2):
Related Documentation
- EX Series, QFabric System, QFX Series standalone switches
- Port Security Overview
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- QFabric System, QFX Series standalone switches
- Understanding MAC Limiting and MAC Move Limiting for Port Security
- Overview of Access Port Protection
- Verifying That MAC Limiting Is Working Correctly
- Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
- no-allowed-mac-log
Published: 2014-07-23
Supported Platforms
Related Documentation
- EX Series, QFabric System, QFX Series standalone switches
- Port Security Overview
- Example: Configuring MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch from Ethernet Switching Table Overflow Attacks
- QFabric System, QFX Series standalone switches
- Understanding MAC Limiting and MAC Move Limiting for Port Security
- Overview of Access Port Protection
- Verifying That MAC Limiting Is Working Correctly
- Example: Configuring MAC Limiting to Protect the Switch from DHCP Starvation Attacks
- no-allowed-mac-log
