Table of Contents
Advertisement
Configuring MAC Move Limiting (CLI Procedure)
Copyright © 2010, Juniper Networks, Inc.
MAC move limiting detects MAC address movement and MAC address spoofing on access
ports. MAC address movements are tracked, and if a MAC address moves more than the
configured number of times within one second, the configured (or default) action is
performed. You enable this feature on VLANs.
NOTE: Although you enable this feature on VLANs, the MAC move limitation
pertains to the number of movements for each individual MAC address rather
than the total number of MAC address moves in the VLAN. For example, If
the MAC move limit is set to 1, the switch allows an unlimited number of MAC
address movements within the VLAN as long as the same MAC address does
not move more than once.
You configure MAC move limiting per VLAN, not per interface (port). In the default
configuration, the number of MAC moves permitted is unlimited.
You can choose to have one of the following actions performed when the MAC move
limit is exceeded:
—Drop the packet and generate an alarm, an SNMP trap, or a system log entry.
drop
This is the default.
log
—Do not drop the packet but generate an alarm, an SNMP trap, or a system log
entry.
—Take no action.
none
shutdown
—Disable the interfaces in the VLAN and generate an alarm. If you have
configured the switch with the
recover automatically upon expiration of the specified disable timeout. If you have not
configured the switch for autorecovery from port error disabled conditions, you can
bring up the disabled interfaces by running the
command.
Chapter 95: Configuring Port Security
statement, the disabled interfaces
port-error-disable
clear ethernet-switching port-error
2919
Advertisement
Chapters
Table of Contents
Troubleshooting
