Solved

In EXOS how can I duplicate Cisco's switchport port-security mac-address sticky command?

  • 17 July 2019
  • 1 reply
  • 305 views

We would like to lock down switchports on Exteme X450-G2's so nobody can move or connect their own equipment and obtain network access. We currently do this today with Cisco switches and the configuration is done on a port by port basis. Its very easy to do on Cisco simply by a few commands to tell the maximum number of mac addresses on a port (2 for example if passing through a VOIP phone). and mac-address sticky which automatically populates with the mac address upon the device making a connection.

So an example in the Cisco world for a typical end user port that passes through a phone:

interface GigabitEthernet1/0/20
description D56
switchport mode access
switchport voice vlan 172
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 1866.da09.xxxx
switchport port-security mac-address sticky 0004.f2b2.xxxx vlan voice
switchport port-security
ip access-group acl1 in
mls qos trust dscp
spanning-tree portfast edge
!

Or if just one device is connected, its a little easier (you don't need to give it a maximum)
interface GigabitEthernet1/0/21
description D102
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 9cae.d386.xxxx
switchport port-security
ip access-group acl1 in


Lets say I need to upgrade a computer or move a computer on Gi1/0/20 above. I would simply unplug the network port from the back of the computer and on the switch I would enter config mode and go into int Gi1/0/20 and enter:
no switchport port-security mac-address sticky 1866.da09.xxxx
then exit config mode.
I would plug in the new machine and since that port has a maximum of 2 and I removed just one of the MAC's, upon the new machine powering on, the switch would automatically add the new mac address to the configuration. I would wr mem and be done with it.

What is the most straighforward way to accomplish the same thing in the EXOS world?

Thank you for your assistance!
icon

Best answer by Bill Handler 18 July 2019, 15:18

Mac-Locking should work for you...

To allow 2 clients/MAC Addresses to be on the port:

configure mac-locking ports first-arrival limit-learning 2

There are other commands related that will allow for actions when the port goes down etc. All listed in the CLI guide.
View original

1 reply

Userlevel 3
Mac-Locking should work for you...

To allow 2 clients/MAC Addresses to be on the port:

configure mac-locking ports first-arrival limit-learning 2

There are other commands related that will allow for actions when the port goes down etc. All listed in the CLI guide.

Reply