topic RE: Locking a device to a specific port in ExtremeSwitching (EXOS/Switch Engine)

Locking a device to a specific port

davidj_cogliane — Thu, 02 Aug 2018 20:39:00 GMT

We have a customer who wants to lock specific MAC addresses to specific ports as a form of location tracking.
They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

Does any vendor support something like this? Not looking to sell another product, but hoping I can say the desired behavior is not an option on any vendors equipment.

As I currently understand it MAC locking does not work that way. I believe it works more like the example provided below.
10:20:30:40:50:ab is the only MAC allowed on ABC MDF port 1:1

10:20:30:40:50:ab is still able to connect to ABC IDF-1 port 2:2

RE: Locking a device to a specific port

AnonymousM — Thu, 02 Aug 2018 23:26:00 GMT

You can either use static MAC entries or use MAC locking with a lern limit of 1. Then the first seen MAC will be converted into a static entry and all further MAC addresses will be discarded.

RE: Locking a device to a specific port

davidj_cogliane — Thu, 02 Aug 2018 23:31:00 GMT

Olaf,

This is the way I thought it worked.

Our customer is not concerned about what is on that port, but rather where a certain MAC is located.

They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

I read your reply as saying "only 10:20:30:40:50:ab can connect on ABC MDF port 1:1, but it would still be able to connect on AAB IDF port 2:2 as well"
I'm I reading your reply correctly?

RE: Locking a device to a specific port

Ronald_Dvorak — Thu, 02 Aug 2018 23:31:00 GMT

You are correct - you'd need to lock all ports to avoid that but that is not what you are looking for = other MACs should be able to connect to every port available.

For how many MACs does the customer like to do that.... are we talking 10/100/1k ?

RE: Locking a device to a specific port

davidj_cogliane — Thu, 02 Aug 2018 23:31:00 GMT

2,500 they are trying to prevent teachers from moving phones out of the room it belongs in. In the US they are implamenting E-911. My understanding is that the police needs to know what room or area of a building a call is coming from. As a result phone extensions are mapped to certain rooms and if the phone is on the other side of the building the police would be working with bad information. Apparently teachers don't understand the importance of safety and can not be trusted to not move phones around. So the tech department is trying to make the phones only work on a particular port.

RE: Locking a device to a specific port

Ronald_Dvorak — Thu, 02 Aug 2018 23:31:00 GMT

So MAC-auth with NAC isn't a great idea as that would mean 2.500 rules...

I don't have any experience with such service but could LLDP with ELIN work !?
Not in regards to locking the port but as a E911 solution.

https://documentation.extremenetworks.com/exos_commands_22.4/exos_21_1/exos_commands_all/r_configure...

RE: Locking a device to a specific port

davidj_cogliane — Thu, 02 Aug 2018 23:31:00 GMT

Ronald,

Thanks for the suggestion.

This has led me to an interesting rabbit hole though this will not help the customer in question because they have G1 switches, it could be useful in the future.

I am still trying to figure out how or even what the location gets configured on...

RE: Locking a device to a specific port

Ronald_Dvorak — Thu, 02 Aug 2018 23:31:00 GMT

My colleague pointed me to this product as it's certified with our PBX solution.

http://www.redskye911.com/e911-manager

http://www.redskye911.com/sites/default/files/E911ManagerDatasheet.pdf

As far as I unterstand you configure the ELIN on the switch port, the 911 manager has then a table e.g. ELIN#123 = 3rd floor, room#301 and then this info is tx to the 911 call center.
So must of the work is done by the PBX and 911manager.

RE: Locking a device to a specific port

Drew_C — Thu, 02 Aug 2018 23:31:00 GMT

David, the documentation is a little misleading. That command has been around since EXOS 11.5 and works on the G1 models too. The newer guides list the new G2 platforms since G1s aren't supported there.
https://documentation.extremenetworks.com/exos_commands_16/EXOS_16_2/exos_commands_all/r_configure-l...

RE: Locking a device to a specific port

davidj_cogliane — Thu, 02 Aug 2018 23:31:00 GMT

Thanks Drew, that makes sense.

I think they would still need something like Redsky to tie all the information together.

RE: Locking a device to a specific port

davidj_cogliane — Thu, 02 Aug 2018 23:31:00 GMT

This looks like the write answer when combined with the LLDP location advertisement.

RE: Locking a device to a specific port

Karthik_Mohando — Fri, 03 Aug 2018 16:49:00 GMT

Hi David,

This may suit the requirement but needs a lot of manual configuration, please test and see if this helps.

create fdb 10:20:30:40:50:ab vlan "phone" ports 1
disable learning ports 1

https://documentation.extremenetworks.com/exos_commands_22.1/exos_21_1/exos_commands_all/r_disable-l...

RE: Locking a device to a specific port

Ronald_Dvorak — Fri, 03 Aug 2018 16:49:00 GMT

That doens't prevent the user to plug the device to port#2 which is what the customer requires - right ?!

RE: Locking a device to a specific port

Ronald_Dvorak — Fri, 03 Aug 2018 16:49:00 GMT

I've tried it and that looks like it could work on the same switch = static > dynamic learning but what about in a network with more then 1 switch.

e.g. create the static entry on switch#1 but connect the device to switch#3.
In that case switch#3 uses the dynamic learned local MAC and not what was learned via the trunk to switch #1.

RE: Locking a device to a specific port

Karthik_Mohando — Fri, 03 Aug 2018 16:55:00 GMT

In addition the below can also be very suitable for dropping all the other packets except the static fdb.
disable learning drop-packets ports 1
drop-packets Drop packets with unknown source MAC addresses