Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring MAC Limiting on a Security Device

 

This example shows how to configure port security features by setting a MAC limit of 5.

Requirements

Before you begin, verify that the interfaces that will be used are in switch mode. See Example: Configuring Switching Modes on Security Devices and Understanding Switching Modes on Security Devices.

Overview

MAC limiting protects against flooding of the Ethernet switching table on the SRX Series Services Gateways. MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access interface (port).

This example shows how to configure port security features by setting a MAC limit of 5.

CLI Quick Configuration

To quickly configure this example, copy the following command, paste it into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the command into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

[edit]

set switch-options interface ge-0/0/1 interface-mac-limit 5

set interface ge–0/0/2 ether-options source-address-filter 00:00:5E:00:AA

set interface ge–0/0/2 ether-options source-address-filter 00:00:5E:00:AB

set interface ge–0/0/2 ether-options source-address-filter 00:00:5E:00:AC

Configuration

Step-by-Step Procedure

The action is not specified, so that the device performs the default action drop if the limit is exceeded:

  1. On a single interface (here, the interface is ge-0/0/1):
  2. For specifying specific MAC addresses:
    • On a single interface (here, the interface is ge-0/0/2):

  3. Enter commit from configuration mode.

Verification

Verifying That MAC Limiting Is Working Correctly on the Services Gateway

Purpose

Verify that MAC limiting is working on the services gateway.

Action

Display the learned MAC addresses. The following sample output shows the results when two packets were sent from hosts on ge-0/0/1 and five packets requests were sent from hosts on ge-0/0/2, with both interfaces set to a MAC limit of 4 with the action drop:

Meaning

The sample output shows that with a MAC limit of 4 for each interface, the packet for a fifth MAC address on ge-0/0/2 was dropped because it exceeded the MAC limit. The address was not learned, and thus an asterisk (*) rather than an address appears in the MAC address column in the first line of the sample output.