Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Understanding MAC Limiting on Layer 3 Routing Interfaces


The MAC limiting feature provides a mechanism for limiting MAC addresses on devices that are connected to a Layer 3 routed Gigabit Ethernet (GE), Fast Ethernet (FE), or 10 Gigabit Ethernet (XE) interface. With MAC filters, you can allow traffic with specific source MAC. Software-based MAC limiting is supported. MAC limiting is applicable only on interfaces with plain Ethernet or VLAN tagged encapsulation.

Both the physical interface level source-address-filter and logical interface level accept-source-mac configurations are supported on SRX100, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, and SRX650 devices. (Platform support depends on the Junos OS release in your installation.) The following considerations apply when you configure the source-address-filter and accept-source-mac statements:

  • If only the logical level accept-source-mac statement is configured, traffic from only those configured MAC addresses will be allowed on the logical interface.

  • If only the physical interface level source-address-filter statement is configured, the physical interface’s allowed MAC addresses are also considered the allowed addresses for all the logical interfaces belonging to the physical interface. Incoming packets from any other source MAC addresses are dropped.

  • If the physical interface level source-address-filter is configured under gigether-options (or fastether-options) and accept-source-mac is configured for one or more of its logical interfaces or VLANs, the allowed list of addresses is a combination of MAC addresses specified in both the statements. For logical interfaces and VLANs where the accept-source-mac statement is not configured, the physical interface’s allowed list of addresses is considered.

You can configure an interface to receive packets from specific MAC addresses. To do this, specify the MAC addresses in the source-address-filter or accept-source-mac statements:

  • Logical level MAC filter configuration on an untagged interface

  • Physical level MAC filter configuration on an untagged interface

  • Physical and logical level MAC filter configurations on a tagged interface


On untagged Gigabit Ethernet interfaces, you must not configure the source-address-filter and the accept-source-mac statements simultaneously. If these statements are configured for the same interfaces at the same time, an error message appears. However, in the case of tagged VLANs, both these statements can be configured simultaneously, if no identical MAC addresses are specified.


The following limitations apply to MAC limiting support on Layer 3 routed GE, AE, FE, or XE interfaces:

  • You can configure only 32 MAC addresses per device (except on aggregated Ethernet interfaces, where the limit is 64 addresses per logical interface).

  • Only software-based MAC filtering is supported. Software-based MAC filtering impacts performance. The performance impact is proportional to the number of MAC addresses configured.

  • MAC-based policer or rate limiting is not supported.

  • You cannot configure broadcast or multicast address in the source-address-filter statement.

  • MAC filtering is not supported on aggregated Ethernet (AE) interfaces (it is supported on some platforms; see Feature Explorer for platform specifics); or on Fabric Ethernet, Point-to-Point Protocol over Ethernet (PPPoE), Routed VLAN interface (RVI), or VLAN interfaces.

    MAC filtering is not supported on chassis clusters.

  • If you configure MAC filtering on the AE interface, you must configure the interface with accept-source-mac (that is, not with source-address-filter) and with family ethernet-switching.