Locking a device to a specific port


We have a customer who wants to lock specific MAC addresses to specific ports as a form of location tracking.
They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

Does any vendor support something like this? Not looking to sell another product, but hoping I can say the desired behavior is not an option on any vendors equipment.

As I currently understand it MAC locking does not work that way. I believe it works more like the example provided below.
10:20:30:40:50:ab is the only MAC allowed on ABC MDF port 1:1

10:20:30:40:50:ab is still able to connect to ABC IDF-1 port 2:2

14 replies

Userlevel 3
You can either use static MAC entries or use MAC locking with a lern limit of 1. Then the first seen MAC will be converted into a static entry and all further MAC addresses will be discarded.
Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?
Userlevel 7
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

You are correct - you'd need to lock all ports to avoid that but that is not what you are looking for = other MACs should be able to connect to every port available.

For how many MACs does the customer like to do that.... are we talking 10/100/1k ?
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

2,500 they are trying to prevent teachers from moving phones out of the room it belongs in. In the US they are implamenting E-911. My understanding is that the police needs to know what room or area of a building a call is coming from. As a result phone extensions are mapped to certain rooms and if the phone is on the other side of the building the police would be working with bad information. Apparently teachers don't understand the importance of safety and can not be trusted to not move phones around. So the tech department is trying to make the phones only work on a particular port.
Userlevel 7
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

So MAC-auth with NAC isn't a great idea as that would mean 2.500 rules...

I don't have any experience with such service but could LLDP with ELIN work !?
Not in regards to locking the port but as a E911 solution.

https://documentation.extremenetworks.com/exos_commands_22.4/exos_21_1/exos_commands_all/r_configure...
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

Ronald,

Thanks for the suggestion.

This has led me to an interesting rabbit hole though this will not help the customer in question because they have G1 switches, it could be useful in the future.

I am still trying to figure out how or even what the location gets configured on...
Userlevel 7
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

My colleague pointed me to this product as it's certified with our PBX solution.

http://www.redskye911.com/e911-manager

http://www.redskye911.com/sites/default/files/E911ManagerDatasheet.pdf

As far as I unterstand you configure the ELIN on the switch port, the 911 manager has then a table e.g. ELIN#123 = 3rd floor, room#301 and then this info is tx to the 911 call center.
So must of the work is done by the PBX and 911manager.
Userlevel 7
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

David, the documentation is a little misleading. That command has been around since EXOS 11.5 and works on the G1 models too. The newer guides list the new G2 platforms since G1s aren't supported there.
https://documentation.extremenetworks.com/exos_commands_16/EXOS_16_2/exos_commands_all/r_configure-l...
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

Thanks Drew, that makes sense.

I think they would still need something like Redsky to tie all the information together.
David Coglianese wrote:

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

This looks like the write answer when combined with the LLDP location advertisement.
Userlevel 6
Hi David,

This may suit the requirement but needs a lot of manual configuration, please test and see if this helps.

create fdb 10:20:30:40:50:ab vlan "phone" ports 1
disable learning ports 1

https://documentation.extremenetworks.com/exos_commands_22.1/exos_21_1/exos_commands_all/r_disable-l...
Userlevel 7
Karthik Mohandoss wrote:

Hi David,

This may suit the requirement but needs a lot of manual configuration, please test and see if this helps.

create fdb 10:20:30:40:50:ab vlan "phone" ports 1
disable learning ports 1

https://documentation.extremenetworks.com/exos_commands_22.1/exos_21_1/exos_commands_all/r_disable-l...

That doens't prevent the user to plug the device to port#2 which is what the customer requires - right ?!
Userlevel 7
Karthik Mohandoss wrote:

Hi David,

This may suit the requirement but needs a lot of manual configuration, please test and see if this helps.

create fdb 10:20:30:40:50:ab vlan "phone" ports 1
disable learning ports 1

https://documentation.extremenetworks.com/exos_commands_22.1/exos_21_1/exos_commands_all/r_disable-l...

I've tried it and that looks like it could work on the same switch = static > dynamic learning but what about in a network with more then 1 switch.

e.g. create the static entry on switch#1 but connect the device to switch#3.
In that case switch#3 uses the dynamic learned local MAC and not what was learned via the trunk to switch #1.
Userlevel 6
In addition the below can also be very suitable for dropping all the other packets except the static fdb.
disable learning drop-packets ports 1
drop-packets Drop packets with unknown source MAC addresses

Reply