mac-locking borders

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi,

i have a question to mac-locking. (Enterasys Fw. 6.61)
If i activate mac-locking on the access ports for my understanding mac spoofing is not anymore possible for devices with the same mac-address at the same switch.
How is the Behavior with more switches?
How to configure this?
Uplinkports with firstarrival mac locking and large number of devices as limitation.
For my understanding a mac-spoofing on different switchports all over the network should not be possible.
Is that really true?

Thanks for your help!

Ronny
Photo of Ronny Engelhardt

Ronny Engelhardt

  • 300 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,516 Points 3k badge 2x thumb
I believe you are asking whether a single firstarrival source MAC address learned on a single switch port can be used to deny ingress of that same MAC address throughout the remainder of the network.
Your reference to the 6.61 firmware line would include the SecureStack A4/B3/B5/C3/C5-Series, the G-Series, and the I-Series switches.

A key point is that any MAC Locking configuration will regulate all ethernet ports controllable under that configuration.
So for the SecureStack products, this might include the ports of as many as eight switches which are members of a given stack.
For the G-Series and I-Series, it would include only the ports of the one switch unit.

For a network-wide treatment to be applied in response to any given dynamically-learned MAC address, I know of no means of doing this if the network is larger than just a given switch or stack, with connected clients.

For a network-wide treatment to be applied in response to any given statically-configured MAC address, I'd consider using NetSight Policy Manager to deny ingress of that source MAC address on all ethernet ports except the one through which it is permitted to function - then enforce that policy to all switches on the network. That requires manual effort and ongoing vigilance, and is not particularly scalable in terms of the number of policy rules that this type of thing could consume for many MAC addresses - thus is not practical for anything other than a limited implementation.

In short: No, with possible workarounds.
I'll be interested to see if there are any other approaches suggested.