topic Re: EXOS | Mac-Locking vs Limit-learning/Lock-learning in ExtremeSwitching (EXOS/Switch Engine)

EXOS | Mac-Locking vs Limit-learning/Lock-learning

csantos — Mon, 17 Aug 2020 23:16:09 GMT

Hello,

We’re trying to upgrade our security level in the Access layer where we have EXOS stacks.

So, I was thinking to use Mac-locking to achieve our goals, because it is something that we already used in another customer, so, it’s very familiar.

However, a colleague of mine told me about limit-learning/lock-learning features. So what do you think about those? Should I go with mac-locking, or limit-learning/lock-learning?

Thanks in advance,

César Santos

Re: EXOS | Mac-Locking vs Limit-learning/Lock-learning

jeronimo — Mon, 17 Aug 2020 23:26:48 GMT

Mac Locking is probably better than nothing at all.

But you should probably evaluate the alternatives including dynamic authentication using Radius (Mac Auth / EAP) or maybe DHCP snooping.

Re: EXOS | Mac-Locking vs Limit-learning/Lock-learning

csantos — Mon, 17 Aug 2020 23:44:47 GMT

Hi Jeronimo,

We’re alredy using DHCP snooping and 802.1X auth and Mac Auth.

My problem here is with some “smart ones” that insist to connect some old Hubs to the network, even when the network admin explicitly says not to. The problem with those old Hubs is that they don’t send BPDUs to my EXOS stack. If they did, the bpdu-restrict feature would just simply put the port on disable state. The goal is that one. When someone connect an hub to the stacks, if the stack see more than just two MAC addresses (PC plus Phone) on the fdb table for a particular port, then it disables the port. I think Mac-locking is the best way to do that, because that will force the “smart ones” to contact the Network Admin.

Regards,

César Santos

Re: EXOS | Mac-Locking vs Limit-learning/Lock-learning

jeronimo — Mon, 17 Aug 2020 23:58:04 GMT

You should have described your actual problem immediately instead of asking what people “think about” a certain feature.

Why do you want to prevent a hub from being used? Even if they were to create a loop using the hub, bpdu-restrict would still catch it and disable the port.

I’m not sure if you can use Mac locking (first-arrival in your case) to disable the port if more addresses are seen. However it will simply not learn those addresses meaning those devices won’t work.

Re: EXOS | Mac-Locking vs Limit-learning/Lock-learning

csantos — Tue, 18 Aug 2020 00:15:25 GMT

Hi Jeronimo,

About your first paragraph. Sorry about that, let’s assume that I’ve misunderstood the purpose of the community. In my perspective, a community is for questions like this one. If I’ve an actual problem, I’ll go to the Support. Again, If I’m wrong, I’m sorry.

About your question regarding why do I want to prevent an hub from being used, let me ask you something. In your house, do you let your neighbour to use your resources without ask you, just because that does not hurt you? Besides, can we agree that, in the end, if a customer asks you something about a particular feature, your job is to give them the best possible answer?

At last, I know Mac-locking feature and how it works. My question was, I think, pretty straightforward. I would like to know the community experience with limit-learning/lock-learning and, if possible, compare with mac-locking.

Regards,

César Santos

Re: EXOS | Mac-Locking vs Limit-learning/Lock-learning

SamPirok — Tue, 18 Aug 2020 01:59:02 GMT

Hi Cesar, we welcome all kinds of posts related to Extreme on the Hub, theoretical or practical. And I’m sure we’re all familiar with the need to satisfy customer curiosity regarding different features.

Looking at your question here, mac-locking and limit-learning/lock-learning essentially do the same things. However, mac-locking prevents packets from being sent to the port if the destination MAC is not present, by removing the MAC entry from the FBD. This is an advantage over limit-learning/lock-learning, however if your traffic level is fairly low then you likely wouldn’t see much difference either way.

Hope that helps!

Re: EXOS | Mac-Locking vs Limit-learning/Lock-learning

csantos — Tue, 18 Aug 2020 15:02:31 GMT

Hi Sam,

Many thanks for your kind reply. Since both features are quite similar, we’ll go with Mac-locking, which is already familiar for us.

Again, thank you so much.

Regards.