mac-move-limit
Syntax
mac-move-limit { limit; <action action | packet-action action>; }
Hierarchy Level
For platforms with ELS:
[edit vlans vlan-name switch-options]
For platforms without ELS:
[edit ethernet-switching-options secure-access-port vlan (all | vlan-name)]
Description
Specify the number of times a MAC address can move to a new interface (port) in one second and the action to be taken by the switch if the MAC address move limit is exceeded.
Starting in Junos OS 14.1X53-D51, do not configure both the no-mac-learning
statement at [edit ethernet-switching-options interfaces interface-name]
and the mac-move-limit
statement. Because MAC
move limiting requires that the device learns MAC addresses, you cannot disable MAC learning.
Default
If you do not specify mac-move-limit
, the default MAC address move
limit is unlimited.
Options
limit
limit—Maximum number of
moves to a new interface per second.
action
action—(Optional) (Available only under the hierarchy level[edit ethernet-switching-options secure-access-port vlan (all | vlan-name) mac-move-limit]
) Action to take when the MAC address move limit is reached:drop
—Drop the packet and generate a system log entry. This is the default.log
—Do not drop the packet but generate a system log entry.none
—No action.shutdown
—Logically disable the interface and generate a system log entry. If you have configured the switch with theport-error-disable
statement, the disabled interfaces recover automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running theclear ethernet-switching port-error
command.
packet-action
action
—(Optional) (Available only under the hierarchy level,[edit vlans vlan-name switch-options mac-move-limit]
) Action to take when the MAC address move limit is reached:Note:There is no default action.
drop
—Drop the packet and do not generate an alarm.drop and log
—Drop the packet and generate an alarm, an SNMP trap, or system log entry.log
— Do not drop the packet, but generate an alarm, an SNMP trap, or a system log entry.none
—No action.shutdown
—Logically disable the interface and generate an alarm or an SNMP trap. If you have configured the interface with therecovery-timeout
statement, the disabled interface recovers automatically upon expiration of the specified timeout. If you have not configured the interface for a recovery timeout, you can bring up the disabled interface by running the operational commandclear ethernet-switching recovery-timeout
.
Required Privilege Level
system—To view this statement in the configuration.system–control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.0.
Hierarchy level [edit vlans vlan-name switch-options]
introduced in Junos OS Release 13.2X50-D10. (See Using the Enhanced Layer
2 Software CLI for information about ELS.)