It’s bizarre how difficult this answer was to find. The feature that mimics Cisco’s switchport port-security mac-address sticky feature on Juniper platforms is ethernet-switching-options secure-access-port vlan (all vlan-name) mac-move-limit. Juniper’s Technical Documentation on MAC Move Limiting: MAC Move Limiting MAC move limiting prevents hosts whose MAC addresses have not been learned by the switch from accessing the network.

Initial learning results when the host sends DHCP requests. If a new MAC address is detected on an interface, the packet is trapped to the switch. In general, when a host moves from one interface to another, the host has to renegotiate its IP address and lease (or be reauthenticated if 802.1X is configured on the switch). The DHCP request sent by the host can be one for a new IP address or one to validate the old IP address.


If 802.1X is not configured, the Ethernet switching table entry is flushed from the original interface and added to the new interface. These MAC movements are tracked, and if more than the configured number of moves happens within one second, the configured action is performed. Actions for MAC Limiting and MAC Move Limiting You can choose to have one of the following actions performed when the limit of MAC addresses or the limit of MAC moves is reached:. drop—Drop the packet and generate an alarm, an SNMP trap, or a system log entry. log—Do not drop the packet but generate an alarm, an SNMP trap, or a system log entry.

none—Take no action. shutdown—Block data traffic on the interface and generate an alarm.

Juniper Mac Address Lookup

If you do not set an action, then the action is none. You can also explicitly set none as the action.