Hi Eugene
If ge-0/0/0.0 is DHCP enabled then it is a L3 interface (family inet) and you cannot use secure-access-port on a L3 interface but only in L2 interfaces (family ethernet-switching).
If you configure a L3 interface under [edit ethernet-switching-options secure-access-port interface ] hierarchy and this interface is family inet, the SRX will report an error upon commit stating that the L3 interface doesnt exitst. See below:
root@SRX1# show interfaces
fe-0/0/3 {
unit 0 {
family inet;
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
We include both interfaces under secure-access-port:
[edit]
root@SRX1# show ethernet-switching-options
secure-access-port {
interface fe-0/0/3.0 {
mac-limit 1 action log;
persistent-learning;
}
interface fe-0/0/4.0 {
mac-limit 1 action log;
persistent-learning;
}
}
Upon commit you will receive an error that the L3 interface (fe-0/0/3) doesnt exist:
[edit]
root@SRX1# commit check
[edit ethernet-switching-options secure-access-port]
'interface fe-0/0/3.0'
Interface fe-0/0/3.0 not found
error: configuration check-out failed
If we remove the L3 interface only then the commit works:
[edit]
root@SRX1# delete ethernet-switching-options secure-access-port interface fe-0/0/3.0
[edit]
root@SRX1# commit check
configuration check succeeds
I hope the above info is helpful.