Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Security Services Administration Guide MAC Limiting and Move Limiting MAC Limiting and Move Limiting Configurations and Examples

Security Services Administration Guide

keyboard_arrow_up
close
keyboard_arrow_left
Security Services Administration Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Verifying That MAC Limiting Is Working Correctly

date_range 24-Nov-23
arrow_backward
arrow_forward

MAC limiting protects against flooding of the Ethernet switching table by setting a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port)..

Junos OS provides two methods for MAC limiting for port security:

  • Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per interface. When the limit is exceeded, incoming packets with new MAC addresses can be ignored, dropped, or logged. You can also specify that the interface be shut down or temporarily disabled.

  • Allowed MAC addresses—You configure specific “allowed” MAC addresses for the access interface. Any MAC address that is not in the list of configured addresses is not learned, and the switch logs an appropriate message. The allowed MAC method binds MAC addresses to a VLAN so that the address is not registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

Junos OS also allows you to set a MAC limit on VLANs. However, setting a MAC limit on VLANs is not considered a port security feature, because the switch does not prevent incoming packets that cause the MAC limit to be exceeded from being forwarded; it only logs the MAC addresses of these packets.

Note:

The information in this topic is for non-ELS platforms. For ELS platforms, refer Configuring MAC Limiting (ELS) to read on MAC limiting.

Verifying That MAC Limiting for Dynamic MAC Addresses Is Working Correctly

Purpose

Verify that MAC limiting for dynamic MAC addresses is working on the switch.

Action

Display the MAC addresses that have been learned. The following sample output shows the results when two packets were sent from hosts on ge-0/0/1 and five packets requests were sent from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the default action drop:

content_copy zoom_out_map
user@switch> show ethernet-switching table 
Ethernet-switching table:  7 entries, 6 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee-vlan        *                   Flood          -    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:77   Learn          0    ge-0/0/1.0
  employee-vlan        00:05:85:3A:82:79   Learn          0    ge-0/0/1.0
  employee-vlan        00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:85   Learn          0    ge-0/0/2.0

Meaning

The sample output shows that with a MAC limit of 4 for each interface, the packet for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.

Verifying That MAC Limiting for a Specific Interface Within a Specific VLAN Is Working Correctly

Purpose

Verify that MAC limiting for a specific interface based on its membership within a specific VLAN is working on the switch.

Action

Display the detailed statistics for MAC addresses that have been learned:

content_copy zoom_out_map
user@switch> show ethernet-switching statistics mac-learning     interface ge-0/0/28 detail 


    Interface: ge-0/0/28.0
    Learning message from local packets:   0
    Learning message from transit packets: 5
    Learning message with error:           0
      Invalid VLAN:               0       Invalid MAC:                  0
      Security violation:         0       Interface down:               0
      Incorrect membership:       0       Interface limit:              0
      MAC move limit:             0       VLAN limit:                   0
                                          VLAN membership limit:        20
      Invalid VLAN index:         0       Interface not learning:       0
      No nexthop:                 0       MAC learning disabled:        0
      Others:                     0

Meaning

The VLAN membership limit shows the number of packets that were dropped because of the VLAN membership MAC limit for interface ge-0/0/28.0 was exceeded. In this case, 20 packets were dropped.

Verifying That Allowed MAC Addresses Are Working Correctly

Purpose

Verify that allowed MAC addresses are working on the switch.

Action

Display the MAC address cache information after allowed MAC addresses have been configured on an interface. The following sample shows the MAC address cache after 5 allowed MAC addresses were on interface ge-0/0/2. In this instance, the interface was also set to a dynamic MAC limit of 4 with the default action drop.

content_copy zoom_out_map
user@switch> show ethernet-switching table                                      
Ethernet-switching table:  5 entries, 4 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee-vlan        00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  employee-vlan        00:05:85:3A:82:85   Learn          0    ge-0/0/2.0
  employee-vlan        *                   Flood          -    ge-0/0/2.0

Meaning

Because the MAC limit value for this interface was set to 4, only four of the five configured allowed addresses were learned and thus added to the MAC address cache. Because the fifth address was not learned, an asterisk (*) rather than an address appears in the MAC address column in the last line of the sample output.

Verifying Results of Various Action Settings When the MAC Limit Is Exceeded

Purpose

Verify the results provided by the various action settings for MAC limits—drop, log, shutdown and none—when the limits are exceeded.

Action

Display the results of the various action settings.

Note:

You can view log messages by using the show log messages command. You can also have the log messages displayed by configuring the monitor start messages with the monitor start messages command.

  • drop action—For MAC limiting configured with a drop action and with the MAC limit set to 5:

    content_copy zoom_out_map
    user@switch>    show ethernet-switching table                                                      
Ethernet-switching table: 6 entries, 5 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee—vlan        *                   Flood          -    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:85   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:88   Learn          0    ge-0/0/2.0

  • log action—For MAC limiting configured with a log action and with MAC limit set to 5:

    content_copy zoom_out_map
    user@switch> show ethernet-switching table
Ethernet-switching table: 74 entries, 73 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee—vlan        *                   Flood          -    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:80   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:81   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:82   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:83   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:84   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:85   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:87   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:88   Learn          0    ge-0/0/2.0
  . . .

  • shutdown action—For MAC limiting configured with a shutdown action and with MAC limit set to 3:

    content_copy zoom_out_map
    user@switch> show ethernet-switching table 
Ethernet-switching table: 4 entries, 3 learned

  VLAN                 MAC address         Type         Age    Interfaces

  employee—vlan        *                   Flood          -    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:82   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:84   Learn          0    ge-0/0/2.0
  employee—vlan        00:05:85:3A:82:87   Learn          0    ge-0/0/2.0

  • none action—If you set a MAC limit to apply to all interfaces on the switch, you can override that setting for a particular interface by specifying this action for that interface. See Override a MAC Limit Applied to All Interfaces.

Meaning

For the drop action results—The sixth MAC address exceeded the MAC limit. The request packet for that address was dropped. Only five MAC addresses have been learned on ge-0/0/2.

For the log action results—The sixth MAC address exceeded the MAC limit. No MAC addresses were blocked.

For the shutdown action results—The fourth MAC address exceeded the MAC limit. Only three MAC addresses have been learned on ge-0/0/2. The interface ge-0/0/1 is shut down.

For more information about interfaces that have been shut down, use the show ethernet-switching interfaces command.

content_copy zoom_out_map
user@switch> show ethernet-switching interfaces

Interface    State  VLAN members        Tag   Tagging  Blocking 

 

bme0.32770   down   mgmt                      untagged unblocked

ge-1/0/0.0   down   v1                        untagged MAC limit exceeded

ge-1/0/1.0   up     v1                        untagged unblocked

ge-1/0/2.0   up     v1                        untagged unblocked

me0.0        up     mgmt                      untagged unblocked
Note:

You can configure the switch to recover automatically from this type of error condition by specifying the port-error-disable statement with a disable timeout value. The switch automatically restores the disabled interface to service when the disable timeout expires. The port-error-disable configuration does not apply to already existing error conditions. It impacts only error conditions that are detected after port-error-disable has been enabled and committed. To clear an already existing error condition and restore the interface to service, use the clear ethernet-switching port-error command.

Verifying That Interfaces Are Shut Down

Purpose

Verify that an interface is shut down when the MAC limit is exceeded.

Action

For more information about interfaces that have been shut down because the MAC limit was exceeded, use the show ethernet-switching interfaces command.

content_copy zoom_out_map
user@switch> show ethernet-switching interfaces

Interface    State  VLAN members        Tag   Tagging  Blocking 

 

bme0.32770   		down   mgmt     untagged unblocked

xe-0/0/0.0  			down   v1       untagged MAC limit exceeded

xe- 0/0/1.0   			up     v1       untagged unblocked

xe-0/0/2.0   			up     v1       untagged unblocked

me0.0        		up     mgmt     untagged unblocked
Note:

You can configure interfaces to recover automatically when the MAC limit has been exceeded by specifying the port-error-disable statement with a disable timeout value. The switch automatically restores the disabled interface to service when the disable timeout expires. The port-error-disable configuration does not apply to preexisting error conditions—it affects only error conditions that are detected after the port-error-disable statement has been enabled and the configuration has been committed. To clear a preexisting error condition and restore the interface to service, use the clear ethernet-switching port-error command.

Customizing the Ethernet Switching Table Display to View Information for a Specific Interface

Purpose

You can use the show ethernet-switching table command to view information about the MAC addresses learned on a specific interface.

Action

For example, to display the MAC addresses learned on ge-0/0/2 interface, type:

content_copy zoom_out_map
user@switch> show ethernet-switching table interface ge-0/0/2.0                 
Ethernet-switching table: 1 unicast entries

  VLAN              MAC address       Type         Age Interfaces

  v1                *                 Flood          - All-members

  v1                00:00:06:00:00:00 Learn          0 ge-2/0/0.0

Meaning

The MAC limit value for ge-0/0/2 was set to 1, and the output shows that only one MAC address was learned and thus added to the MAC address cache. An asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.

Related Documentation

arrow_backward PREVIOUS Example: Configuring MAC Limiting
NEXT arrow_forward Override a MAC Limit Applied to All Interfaces
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top