Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to control MAC address access through the JUNOS for EX-series switch



Article ID: KB10866 KB Last Updated: 05 Mar 2017Version: 5.0
JUNOS for EX-series software allows the user control of MAC address through a single port by setting Mac Limit and Allowed MAC. The information below explains how to set MAC access control on the switch.


MAC limiting protects against flooding of the Ethernet switching table (also known as the MAC forwarding table or Layer 2 forwarding table). This feature is enabled  on interfaces (ports).

MAC limiting sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access port. JUNOS software provides two MAC limiting methods: 

  • Maximum number of MAC addresses—You configure the maximum number of dynamic MAC addresses allowed per port. As soon as the limit is reached, incoming packets with new MAC addresses are dropped. The MAC limit value in the EX-series switch default configuration is five MAC addresses.

  • Allowed MAC—You configure specific “allowed” MAC addresses for the access port. Any MAC address that is not in the list of configured addresses is not learned. Allowed MAC binds MAC addresses to a VLAN so that the address does not get registered outside the VLAN. If an allowed MAC setting conflicts with a dynamic MAC setting, the allowed MAC setting takes precedence.

MAC limiting is configured in [edit ethernet-switching-options secure-access-port] hierarchy.  It  sets a limit on the number of MAC addresses that can be learned on a single Layer 2 access port, for example to set limit of 3 for interface ge-0/0/1 with action drop:

[edit ethernet-switching-options secure-access-port]
user@switch> show
        interface ge-0/0/1.0 {
            mac-limit 3 action drop;

[edit ethernet-switching-options secure-access-port]
user@switch> show
secure-access-port {
        interface ge-0/0/2.0 {
            allowed-mac {


In case the Allowed MAC list is longer than MAC Limit number, only the first addresses in Allowed MAC. If MAC limit is set to 3 (for example) and Allowed MAC List contains more than 3 entries, the switch will learn only the first 3 addresses on the Allowed MAC list.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search