Thanks guys for the answers. I should be more precise. I understand the concept of MAC limiting. I'm just not sure about this single case where along interface name and MAC limit you also specify a VLAN. Since MAC limiting can only be enabled on access port this makes little sense.
Are you sure this can only be applied to Acess interfaces? I do not see in the documentation anything that states this limitation, such that MAC-Limits could not be set on L2 Trunk or Tagged interfacs:
MAC limiting is configured on Layer 2 interfaces. You can specify the maximum number of dynamic MAC addresses that can be learned on a single interface, all interfaces, or a specific interface on the basis of its membership within a VLAN (VLAN membership MAC limit).
See below and its associated links for more details:
[edit ethernet-switching options secure-access-port interface interface-name vlan vlan-name]—Set the MAC address learning limit for a specific interface as a member of a specific VLAN (VLAN membership MAC limit).
Note:- If you set the MAC address limit on a specific interface as a member of a specific VLAN (VLAN membership MAC limit), the switch drops any additional packets when the VLAN membership MAC limit is exceeded and logs the MAC addresses of those packets. You cannot specify a different action for this specific configuration. If a single interface belongs to more than one VLAN, you can set separate VLAN membership MAC limits for the same interface.
I understand your view, and yes if only applicable to an access interface, and not tagged/trunk, then addition of VLAN makes little to no sense as a requirement - could somehow be related to the implementation, I guess.
I assume you think access only from this statement:
MAC limiting sets a limit on the number of MAC addresses that can be learned dynamically on a single Layer 2 access interface or on all the Layer 2 access interfaces on the services gateway.
I would NOT trust that the use of the word Access above equates to true Access port, versus any port. I would "think' that if not supported on L2 tagged/trunk interface (where VLAN would then matter for sure) that some NOTE saying so might be present, but who knows???
i think best to just accept VLAN needed in the command structure and leave it as that, . . .
First of all mac-limit can be applied to access ports only and is usually done with:
set ethernet-switching-options secure-access-port interface ge-0/0/1 mac-limit 1
My question was about a version of above that allow you to set mac-limit per port per VLAN
set ethernet-switching-options secure-access-port interface ge-0/0/1 vlan 100 mac-limit 1
I did some tests and was able to use it on voip port where instead to setting MAC limit to 2 I was able to set the limit to 1 for data and 1 for voice. This way I was unable to use 2 PCs only or 2 Phones only but with 1 PC and 1 Phone it worked fine.
Mar 22 16:33:54 exA-1 eswd: ESWD_VMEMBER_MAC_LIMIT_DROP: vlan data mac 00:26:88:00:00:02 (tag 100) interface ge-0/0/1.0, per port per vlan limit exceeded Mar 22 16:33:56 exA-1 last message repeated 2 times Mar 22 16:37:54 exA-1 eswd: ESWD_VMEMBER_MAC_LIMIT_DROP: vlan voip mac 00:26:88:00:00:04 (tag 200) interface ge-0/0/1.0, per port per vlan limit exceeded Mar 22 16:37:57 exA-1 last message repeated 2 times