mac-locking borders

Userlevel 1

i have a question to mac-locking. (Enterasys Fw. 6.61)
If i activate mac-locking on the access ports for my understanding mac spoofing is not anymore possible for devices with the same mac-address at the same switch.
How is the Behavior with more switches?
How to configure this?
Uplinkports with firstarrival mac locking and large number of devices as limitation.
For my understanding a mac-spoofing on different switchports all over the network should not be possible.
Is that really true?

Thanks for your help!


1 reply

Userlevel 4
I believe you are asking whether a single firstarrival source MAC address learned on a single switch port can be used to deny ingress of that same MAC address throughout the remainder of the network.
Your reference to the 6.61 firmware line would include the SecureStack A4/B3/B5/C3/C5-Series, the G-Series, and the I-Series switches.

A key point is that any MAC Locking configuration will regulate all ethernet ports controllable under that configuration.
So for the SecureStack products, this might include the ports of as many as eight switches which are members of a given stack.
For the G-Series and I-Series, it would include only the ports of the one switch unit.

For a network-wide treatment to be applied in response to any given dynamically-learned MAC address, I know of no means of doing this if the network is larger than just a given switch or stack, with connected clients.

For a network-wide treatment to be applied in response to any given statically-configured MAC address, I'd consider using NetSight Policy Manager to deny ingress of that source MAC address on all ethernet ports except the one through which it is permitted to function - then enforce that policy to all switches on the network. That requires manual effort and ongoing vigilance, and is not particularly scalable in terms of the number of policy rules that this type of thing could consume for many MAC addresses - thus is not practical for anything other than a limited implementation.

In short: No, with possible workarounds.
I'll be interested to see if there are any other approaches suggested.