Juniper Junos OS EX 4300 Series Ethernet Switch Port Security

Interface configuration
set switch-options interface ge-2/0/17.0 interface-mac-limit 1
set switch-options interface ge-2/0/17.0 interface-mac-limit packet-action drop-and-log
set switch-options interface ge-2/0/17.0 persistent-learning

Clear specific interface MAC database
run clear ethernet-switching table interface ge-2/0/17.0
delete switch-options interface ge-2/0/17.0

Troubleshooting and verification
show interfaces ge-2/0/17 detail
show ethernet-switching interface ge-2/0/17
show ethernet-switching interface ge-2/0/17.0 brief

show configuration switch-options interface ge-2/0/17.0

interface-mac-limit {
    3;
    packet-action drop-and-log;
}
persistent-learning;

show ethernet-switching table interface ge-2/0/17.0

MAC database for interface ge-2/0/17.0

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC)

Ethernet switching table : 73 entries, 73 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical
    name                address             flags              interface
    vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0
    vlan.110            56:45:34:23:12:01   P             -   ge-2/0/17.0
    vlan.110            23:12:01:56:45:34   P             -   ge-2/0/17.0

show ethernet-switching table | match "01:12:23:34:45:56"

vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0

show ethernet-switching table | match "ge-2/0/17.0"
    vlan.110            01:12:23:34:45:56   P             -   ge-2/0/17.0
    vlan.110            56:45:34:23:12:01   P             -   ge-2/0/17.0
    vlan.110            23:12:01:56:45:34   P             -   ge-2/0/17.0

show ethernet-switching interface ge-2/0/17.0
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
                         LH - MAC limit hit, DN - interface down,
                         SCTL - shutdown by Storm-control )

Logical             Vlan          TAG     MAC         STP               Logical              Tagging
interface           members               limit       state             interface flags
ge-2/0/17.0                               3                                AD,LH              untagged
                    vlan.110      110     65535       Forwarding                              untagged

show log messages | match ge-2/0/17

Link:
https://forums.juniper.net/t5/Ethernet-Switching/EX4300-Port-Security-MAC-Limiting-Allowed-MAC-amp-ELS/td-p/308978
http://www.juniper.net/documentation/en_US/junos10.2/topics/task/configuration/port-security-cli.html
http://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/ex4300/port-security.pdf
https://www.juniper.net/documentation/en_US/junos/topics/task/verification/port-security-qfx-series-mac-limiting.html
http://forums.juniper.net/t5/Junos/Mac-Filtering-on-EX4200-JUNOS/td-p/48473
https://networkengineering.stackexchange.com/questions/19181/how-can-i-view-a-list-of-which-macs-an-interface-is-restricted-to-on-a-juniper-s

Leave a comment

You must be logged in to post a comment.