Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


mac-limit (Access Port Security)


Hierarchy Level


Set a limit on the number of MAC addresses that can be added to the Ethernet switching table.

  • [edit ethernet-switching options secure-access-port interface]—Set the MAC address learning limit for a specific interface, for a range of interfaces, or for all interfaces on the switch.

  • [edit ethernet-switching options secure-access-port interface interface-name vlan vlan-name]—Set the MAC address learning limit for a specific interface as a member of a specific VLAN (VLAN membership MAC limit).


    If you set the MAC address limit on a specific interface as a member of a specific VLAN (VLAN membership MAC limit), the switch drops any additional packets when the VLAN membership MAC limit is exceeded and logs the MAC addresses of those packets. You cannot specify a different action for this specific configuration. If a single interface belongs to more than one VLAN, you can set separate VLAN membership MAC limits for the same interface.

When you reset the number of MAC addresses, the MAC address table is not automatically cleared. Previous entries remain in the table after you reduce the number of addresses, so you should clear the forwarding table for the specified interface or MAC address. Use the clear ethernet-switching table command to clear the existing MAC addresses from the table.


The default action is drop.


action action—(Optional) Action to take when the MAC address limit for an interface or for all interfaces is exceeded:

  • drop—Drop the packet and generate a system log entry.

  • log—Do not drop the packet but generate a system log entry.

  • none—No action.

  • shutdown—Disable the interface and generate a system log entry. If you have configured the switch with the port-error-disable statement, the disabled interface recovers automatically upon expiration of the specified disable timeout. If you have not configured the switch for autorecovery from port error disabled conditions, you can bring up the disabled interfaces by running the clear ethernet-switching port-error command.

limit—Maximum number of MAC addresses.

Required Privilege Level

system—To view this statement in the configuration.system–control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 9.0.