View Only


This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  EX2300 packet-action log

    Posted 06-22-2020 02:37



    I am fairly new at JunOS so grateful for any help on the below:


    I am attempting to configure mac security on access ports on my EX2300 (18.1R3) but I just want to trap the mac violation and not shutdown or drop the packet.

    According to the manual it is a simple case of doing the following:


    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action log


    The command takes but on a commit check I get the following:


    interface mac limit should be configured with drop/drop-and-log/shutdown action


    Does anyone know why I can't set a mac limit of 1 and just log a violation?

    Is it a limitation of the firmware?


    Grateful for any help



  • 2.  RE: EX2300 packet-action log
    Best Answer

    Posted 06-22-2020 02:44

    Hello yawksheer,


    referencing Juniper Techpub, "log" is not supported on EX2300:



    You can choose to have one of the following actions performed when the MAC move limit is exceeded:

    • drop—(EX2300, EX3400 and EX4300) Drop the packet, but do not generate an alarm.

    • drop-and-log—(EX2300, EX3400 and EX4300 only) Drop the packet and generate an alarm, an SNMP trap, or system log entry.

    • log—(EX4300 and EX9200) Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

    • none—(EX4300 and EX9200) Forward packets with new source MAC addresses, and learn the new source MAC address.


    So it seems you have to configure "drop", "drop-and-log" or "shutdown" without "log".

  • 3.  RE: EX2300 packet-action log

    Posted 06-22-2020 02:50

    Hi yawksheer




    As per my understanding, the configuration has MAC limit to configure a limit to the number of MAC addresses that can be learned from the interface, further if it exceeds the threshold that you set, say more than 1 MAC learnt on this interface you need to specify whether to drop the packet or drop and log the occurrence or shutdown the port.

    This specification will allow the commit, else it doesn't know what to do if the threshold limit is crossed.


    Try using any of the below to make it work:

    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action drop-and-log
    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action drop
    set switch-options interface ge-0/0/0 interface-mac-limit 1 packet-action shutdown

    Use the link for understanding the configuration: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/packet-action-edit-bridge-domains-edit-protocols-l2-learning-edit-switch-options.html


    Hope this helps. Smiley Happy


    Please mark "Accept as solution" if this answers your query. 


    Kudos are appreciated too! 



    Sharat Ainapur


  • 4.  RE: EX2300 packet-action log

    Posted 06-22-2020 03:15

    Hi yawksheer,

    As been said on the above replies this option is not available for your device model "EX2300"


    , however you may use the following feature instead to help you monitor mac learn / unlearn and sending SNMP trap for those events 



    If this solves your problem, please mark this post as "Accepted Solution."