topic Vlan MAC Limit in ExtremeSwitching (EXOS/Switch Engine)

Vlan MAC Limit

mkraft — Fri, 08 Jan 2021 22:05:23 GMT

Hi,

we want to set a MAC limit (1) on a VLAN on a port. The MAC is to be permanently configured and every packet that does not come from the MAC on the VLAN is to be discarded and not forwarded or otherwise stored/recorded. Of course there are other VLANs on the port, which should not be affected by this.

Idea:

# create fdb <MAC> vlan <VLAN> ports <PORT>
# configure ports <PORT> vlan <VLAN> limit-learning 0 action stop-learning

Question: can we create a ACL for this? and if yes, how it would look like?

many thx in advance 🙂

Re: Vlan MAC Limit

Stefan_K_ — Fri, 08 Jan 2021 23:11:31 GMT

I believe this is an switch uplink?

If you use an ACL you don’t need to limit learning and so on. An ACL could look like this:

entry permit_MAC {
if match any {
ethernet-source-address xx:xx:xx:xx:xx:xx;
ethernet-destination-address xx:xx:xx:xx:xx:xx;
} then {
permit;
}
}

entry block_all {
if {
}
then {
deny;
}
}

ACL must be applied on the specific vlan. I didn’t test it.

In order to help you better, more information is neccessary. If we know what and why you try to achieve, we might find a better solution. Maybe we even have an XY-Problem.

Re: Vlan MAC Limit

Miguel-Angel_RO — Sat, 09 Jan 2021 20:43:36 GMT

Hi Max,

As mentoinned by @Stefan K. you should describe more deeply your use case to get a more precise solution.

For example, on ERS switches if you perform an authentication on the port you can limit the number of concurrent MACs to be allowed on the port.

Regards

Mig

Re: Vlan MAC Limit

mkraft — Tue, 12 Jan 2021 02:29:54 GMT

Hi,

thx Stefan and Miguel. I actually dont know much about the problem (customer asking). I’ve just posted his question, translated, 🙂

I gave hime both Solutions (Port Security à la Cisco and the ACL). He should be happy by now.

Regards