Network Architecture & Design

  • 1.  mac based vlan , multiple edge switches .

    Posted 08-03-2016 09:14
    Configuration of mac based netlogin , when vlan spread over a number of switches.

    I am trying to limit the mac addresses that access a number of switches on the same vlan , from reading the Guides I understand the concept .. just putting this into practice is the issue ( still have to lab )

    Basically my thoughts are " as this is a port based thing , each switch with this specific vlan will need to be configured for netlogin ( using local list on each switch with the vlan) , not including the uplinks .. each switch with this netlogin vlan will need a copy of the mac addresses being allowed connection .

    I'm also going to configure the vlan ports for "limit Learning 1"

    I would like to configure the limit learning or the lock learning , so that there is no time out value.

    Basically for reason of security we want to control very tightly , who has access to the switch, and therefore our networks.

  • 2.  RE: mac based vlan , multiple edge switches .

    Posted 08-17-2016 10:22
    Bumping back to the top for Rod.

  • 3.  RE: mac based vlan , multiple edge switches .

    Posted 08-18-2016 11:22
    Hi Rod,

    I am not sure if i got your requirement correctly.

    Limit learning is port and VLAN combination command, so i do not think you can use both Netlogin and limit-learning on the same port.

    Once netlogin is enabled for a port it would automatically placed in to the netlogin vlan where the Client PC would have no access to the network only after successful authentication it would be placed in to a VLAN which is returned by the Radius.

    This article might help you with the Netlogin complete config.

  • 4.  RE: mac based vlan , multiple edge switches .

    Posted 08-18-2016 12:16
    Hi Rod,

    Limit-learning is dynamic and it will limit the number of MAC addresses that can be learned in a vlan and port.

    Lock-learning causes all dynamic FDB entries associated with the specified VLAN and ports to be converted to locked static entries. It also sets the learning limit to 0, so that no new entries can be learned. All new source MAC addresses are blackholed.

    Those features don't need Netlogin to be enabled.

    If you want to just control the number of mac per port (without authentication), limit-learning will help. However, if you want to lock an specific MAC (again, without authentication), then you can use lock-learning, but that MAC must be already in the FDB.

    Do you want to use MAC-based authentication or just control the MAC learned in each switch/vlan/port?