Header Only - DO NOT REMOVE - Extreme Networks
Solved

In EXOS how can I duplicate Cisco's switchport port-security mac-address sticky command?

  • 17 July 2019
  • 4 replies
  • 685 views

We would like to lock down switchports on Exteme X450-G2's so nobody can move or connect their own equipment and obtain network access. We currently do this today with Cisco switches and the configuration is done on a port by port basis. Its very easy to do on Cisco simply by a few commands to tell the maximum number of mac addresses on a port (2 for example if passing through a VOIP phone). and mac-address sticky which automatically populates with the mac address upon the device making a connection.

So an example in the Cisco world for a typical end user port that passes through a phone:

interface GigabitEthernet1/0/20
description D56
switchport mode access
switchport voice vlan 172
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 1866.da09.xxxx
switchport port-security mac-address sticky 0004.f2b2.xxxx vlan voice
switchport port-security
ip access-group acl1 in
mls qos trust dscp
spanning-tree portfast edge
!

Or if just one device is connected, its a little easier (you don't need to give it a maximum)
interface GigabitEthernet1/0/21
description D102
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 9cae.d386.xxxx
switchport port-security
ip access-group acl1 in


Lets say I need to upgrade a computer or move a computer on Gi1/0/20 above. I would simply unplug the network port from the back of the computer and on the switch I would enter config mode and go into int Gi1/0/20 and enter:
no switchport port-security mac-address sticky 1866.da09.xxxx
then exit config mode.
I would plug in the new machine and since that port has a maximum of 2 and I removed just one of the MAC's, upon the new machine powering on, the switch would automatically add the new mac address to the configuration. I would wr mem and be done with it.

What is the most straighforward way to accomplish the same thing in the EXOS world?

Thank you for your assistance!
icon

Best answer by Bill Handler 18 July 2019, 15:18

Mac-Locking should work for you...

To allow 2 clients/MAC Addresses to be on the port:

configure mac-locking ports first-arrival limit-learning 2

There are other commands related that will allow for actions when the port goes down etc. All listed in the CLI guide.
View original

4 replies

Userlevel 3
Mac-Locking should work for you...

To allow 2 clients/MAC Addresses to be on the port:

configure mac-locking ports first-arrival limit-learning 2

There are other commands related that will allow for actions when the port goes down etc. All listed in the CLI guide.

Ok I found a series of commands that seem to work.  It does learn 1 MAC address.  I then plug in a different device and the port disables.  The issue is that when I plug back in the original device, the port is still down.  It’s like I have to disable and enable the port.  At least Cisco retries in 30 secs (errdisable-recovery).  The more automated the better.

Userlevel 2

How would you like it to work?

I guess this is one thing you’d like:

configure mac-locking ports port_list learn-limit-action remain-enabled

From the EXOS user guide:

“Disable/Enable port when MAC threshold is reached

This command is used to configure the disabling of ports when the configured MAC threshold is met.
This is used for both “first arrival” and “static” MAC locking methods.
configure mac-locking ports port_list learn-limit-action [disable-port |remain-enabled]
The port is disabled when the configured MAC threshold is met. All the FDB entries learned on this port
are flushed as the port is disabled. This configuration can be reset using the clear mac-locking
disabled-state ports port_list command. When MAC locking is disabled on the port, the
port comes back up.

Clearing the Disabled-state of a Port
This command is used to return the behavior of first arrival MAC locking with link state change to its
default value of enabled.
clear mac-locking disabled-state ports port_list

Delete Static MAC Locking Entries
To delete MAC locking for all static MAC address or the specified static MAC address on the given port,
use the following command:
configure mac-locking ports port_list static delete station
[station_mac_address | all]

Clearing MAC Locking entries
The following command is used to clear MAC locking station entries for the given parameters:
clear mac-locking station [all | {mac station_mac_address} {firstarrival
| static} {ports port_list}]”

 

Have a look in the user guide (page 898 in the 22.6 version).

 

/Fredrik

Yes I got that to work.  I was just curious if I was missing something to have the switch retry the port if the original device is plugged back in.  Cisco has an errdisable recovery timer which I think we have set to 30 (seconds).  I got the port violations to log but I can’t get netsight to email alert me.  Strange because I have no issues getting ospf alerts.

Reply