Locking a device to a specific port

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Answered
We have a customer who wants to lock specific MAC addresses to specific ports as a form of location tracking.
They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s? 

Does any vendor support something like this? Not looking to sell another product, but hoping I can say the desired behavior is not an option on any vendors equipment.


As I currently understand it MAC locking does not work that way. I believe it works more like the example provided below.

10:20:30:40:50:ab is the only MAC allowed on ABC MDF port 1:1

10:20:30:40:50:ab is still able to connect to ABC IDF-1 port 2:2
Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
You can either use static MAC entries or use MAC locking with a lern limit of 1. Then the first seen MAC will be converted into a static entry and all further MAC addresses will be discarded.
Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb
Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s? 

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?
Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb
Ronald,

Thanks for the suggestion.

This has led me to an interesting rabbit hole though this will not help the customer in question because they have G1 switches, it could be useful in the future.

I am still trying to figure out how or even what the location gets configured on...  
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,114 Points 50k badge 2x thumb
My colleague pointed me to this product as it's certified with our PBX solution.

http://www.redskye911.com/e911-manager

http://www.redskye911.com/sites/default/files/E911ManagerDatasheet.pdf

As far as I unterstand you configure the ELIN on the switch port, the 911 manager has then a table e.g. ELIN#123 = 3rd floor, room#301 and then this info is tx to the 911 call center.
So must of the work is done by the PBX and 911manager.
Photo of Drew C.

Drew C., Community Manager

  • 40,218 Points 20k badge 2x thumb
David, the documentation is a little misleading. That command has been around since EXOS 11.5 and works on the G1 models too. The newer guides list the new G2 platforms since G1s aren't supported there.
https://documentation.extremenetworks.com/exos_commands_16/EXOS_16_2/exos_commands_all/r_configure-l...
Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb
Thanks Drew, that makes sense. 

I think they would still need something like Redsky to tie all the information together.
Photo of David Coglianese

David Coglianese, Embassador

  • 7,208 Points 5k badge 2x thumb
This looks like the write answer when combined with the LLDP location advertisement.
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 6,058 Points 5k badge 2x thumb
Hi David,

This may suit the requirement but needs a lot of manual configuration, please test and see if this helps. 

create fdb 10:20:30:40:50:ab vlan "phone" ports 1
disable learning ports 1

https://documentation.extremenetworks.com/exos_commands_22.1/exos_21_1/exos_commands_all/r_disable-l...

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,114 Points 50k badge 2x thumb
That doens't prevent the user to plug the device to port#2 which is what the customer requires - right ?!
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 50,114 Points 50k badge 2x thumb
I've tried it and that looks like it could work on the same switch = static > dynamic learning but what about in a network with more then 1 switch.

e.g. create the static entry on switch#1 but connect the device to switch#3.
In that case switch#3 uses the dynamic learned local MAC and not what was learned via the trunk to switch #1.
Photo of Karthik Mohandoss

Karthik Mohandoss, Employee

  • 6,058 Points 5k badge 2x thumb
In addition the below can also be very suitable for dropping all the other packets except the static fdb. 
disable learning drop-packets ports 1
drop-packets     Drop packets with unknown source MAC addresses