Question

Vlan MAC Limit

  • 8 January 2021
  • 3 replies
  • 43 views
M

Hi,

we want to set a MAC limit (1) on a VLAN on a port. The MAC is to be permanently configured and every packet that does not come from the MAC on the VLAN is to be discarded and not forwarded or otherwise stored/recorded. Of course there are other VLANs on the port, which should not be affected by this.

 

Idea: 

# create fdb <MAC> vlan <VLAN> ports <PORT>
# configure ports <PORT> vlan <VLAN> limit-learning 0 action stop-learning

 

Question: can we create a ACL for this? and if yes, how it would look like?

 

many thx in advance :)

 

3 replies

Stefan K.
Userlevel 5

I believe this is an switch uplink?

If you use an ACL you don’t need to limit learning and so on. An ACL could look like this:

entry permit_MAC {
if match any {
ethernet-source-address xx:xx:xx:xx:xx:xx;
ethernet-destination-address xx:xx:xx:xx:xx:xx;
} then {
permit;
}
}

entry block_all {
if {
}
then {
deny;
}
}

ACL must be applied on the specific vlan. I didn’t test it.

In order to help you better, more information is neccessary. If we know what and why you try to achieve, we might find a better solution. Maybe we even have an XY-Problem.

 

M
Userlevel 6
Badge +1

Hi Max,

 

As mentoinned by @Stefan K. you should describe more deeply your use case to get a more precise solution.

For example, on ERS switches if you perform an authentication on the port you can limit the number of concurrent MACs to be allowed on the port.

Regards

Mig

Mig
M

Hi,

thx Stefan and Miguel. I actually dont know much about the problem (customer asking). I’ve just posted his question, translated, :)

I gave hime both Solutions (Port Security à la Cisco and the ACL). He should be happy by now.

 

Regards

Reply