topic RE: Mac based port security and removing / modifying configuration in ExtremeSwitching (EXOS/Switch Engine)

Mac based port security and removing / modifying configuration

kjstech — Thu, 07 Jun 2018 20:31:00 GMT

I was trying to experiment with the EXOS version of what we do on our Cisco switches which is mac-address based security tied to a port.

Sometimes we will use the following cisco commands on a port for example:
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 484d.7e00.0000 vlan access
switchport port-security mac-address sticky 0004.f200.0001 vlan voice

Really we just type in the first two lines, and the switch automatically fills in the lines with the mac addresses as they are learned. If you plug a different device in, the port shuts down. If you plug one of those devices into a different port on the switch, the port shuts down. If moving devices or swapping devices we just issue a no in front of the command with the mac address we want to remove, after the cable is unplugged.

So I have a laptop here with two USB nics and I just want to try the EXOS equivalent of this, but limit it to learning one mac address, so I can verify with my second nic that the port will shut down.

I first found this on gtac kb:
configure port 2 vlan Default limit-learning 1 action stop-learning
However I get a network connection with either USB nic and sucessful pings. So it doesn't appear to be stoping anything.

Then I found this one on gtac kb:
configure mac-locking ports 2 first-arrival limit-learning 1
However the first command above is still on port 2 on this test switch, see below:
* X450G2-24p-G4.102 # sh configuration | grep learning
configure port 2 vlan Default limit-learning 1 action stop-learning
configure mac-locking ports 2 first-arrival limit-learning 1
How can I make the first line "go away"? I tried unconfigure port 2 vlan Default limit-learning 1 action stop-learning and it was invalid.

Also can you steer me in the right direction how to accomplish (and maintain) the equivalant Cisco feature on EXOS?

I eventually want to get this working in Netsight under Control with our nac VM. Were a very new install and though I have stuff in there on this test switch, it doesn't block traffic. I'm envisioning an easy to use and maintain place for the entire IT department of 6 to go in and add or remove mac addresses to a list. Basically if your mac address is in that list, you are on the network. If not, the port goes dead.

Thanks!

RE: Mac based port security and removing / modifying configuration

Patrick_Voss — Thu, 07 Jun 2018 20:50:00 GMT

Hello Kjstech,

You can remove that command by using the following:

"configure port 2 vlan default unlimited-learning"

In order to configure this and not have the action as "stop-learning" you will have to choose an option:

configure port 2 vlan default limit-learning 1 action blackhole

RE: Mac based port security and removing / modifying configuration

kjstech — Thu, 07 Jun 2018 21:03:00 GMT

Ok I was able to undo that Looks like the second command does what I would expect.
The first NIC connected works. Switching the cable to the other nic does not get an IP address, nor ping. Odd though in sh log there was nothing logged for this event.

Is one way better than the other, or is this two ways to accomplish the same thing?

configure port 2 vlan default limit-learning 1 action blackhole
vs
configure mac-locking ports 2 first-arrival limit-learning 1

Right now I have mac-locking on, but how do I maintain that. Lets say I replace or move a device. Unconfigure mac-locking says invalid input detected at marker.

RE: Mac based port security and removing / modifying configuration

kjstech — Thu, 07 Jun 2018 21:16:00 GMT

Actually it didn't work, it was my laptop. The usb nic doesn't work in the right usb port. Both USB nics only work in the left usb port so I can only use one at a time.

Anyway I thought I had to do more configuration, like tell the port WHAT to do after it reached its limit, and also actually ENABLE the feature. I did that, but it still doesn't do anything.
configure mac-locking ports 2 learn-limit-action disable-port
enable mac-locking ports 2
And how about logging, well I tried this:
configure mac-locking ports 1-24 log on
configure mac-locking ports 2 trap violation on
MAC locking is globally disabled. Port MAC Trap Log FA Limit Link Max Max Last Violating Lock Thr|Viol Thr|Viol Aging Action Down Stc FA MAC Address Stat Cfg|Stat Action ----- ---- -------- -------- ----- -------- ------ --- --- ----------------- 1 dis off|off off|on dis ena|ena clear 64 600 00:00:00:00:00:00 2 ena off|on off|on dis dis|ena clear 64 1 00:00:00:00:00:00

Still both usb nics work and get network access.

RE: Mac based port security and removing / modifying configuration

kjstech — Thu, 07 Jun 2018 21:16:00 GMT

I'm wondering if mac locking means it will learn 1 mac address as shown above, but lets say I try to pass through a phone, or heck, connect a downstream switch with a bunch of other devices on it. I'm thinking it doesn't in a sense "Marry" or "bind" a particular mac address on the port, but it limites the number of simulatanous mac addresses that can communicate on the port at the same time. Thats why I always have access since I'm just plugging it into a laptop.

I just undid all of that configuration and I will go down exploring the avenue of configure port 2 vlan default limit-learning 1 action blackhole

RE: Mac based port security and removing / modifying configuration

Patrick_Voss — Thu, 07 Jun 2018 22:25:00 GMT

kjstech,

Your timing is impeccable because I am working on mac locking with another customer in our lab. Based on the configuration it looks like the configure port command is on a per port and VLAN basis where mac locking is done at the overall port level and you can log and trap if you want.

I will let you know more info once I find it during my testing.

RE: Mac based port security and removing / modifying configuration

Bruce_Garlock — Wed, 20 Mar 2019 01:07:00 GMT

Hello,

I am wondering what @kjstech and @Patrick Voss came up with for making this work, as I am on a similar journey. Basically, I would like to pin the current MAC addresses to a port (what ever is plugged in right now) and if a new device is attached to that port, send it to the blackhole. If we need to connect a new device to the port, we would need to clear the entry to allow it to be connected to the port.

RE: Mac based port security and removing / modifying configuration

Keith9 — Wed, 20 Mar 2019 08:31:00 GMT

It doesn’t look like Patrick ever replied what he found during his testing. I would like a really easy and simple way to approach Mac based port security exactly like Cisco. The ports should be configured, allow 1 or 2 Mac addresses on it, then deny anything else on that port. If the device has to be replaced or move, we would want a simple one liner command to clear the mac’s and allow the port to relearn and allow the next device that connects.

We we have a reason to allow 2 macs (many PC’s are connected through a Polycom phone), or in some cases multiple macs (like someone running VMware workstation with multiple machines).

I really hope someone has a way to easily replicate this Cisco bread and butter functionality on XOS. I have some older Cisco switches in some access closets hitting EOL soon and although I would consider replacing them with Extreme switches, the lack of Mac based port security has me looking at new Catalyst 9300’s. Don’t get me wrong, we love our Extreme switches at the core which do all of our L3, OSPF and aggregation.

RE: Mac based port security and removing / modifying configuration

Keith9 — Thu, 17 Oct 2019 00:39:00 GMT

We are still looking for an easy way to bind mac addresses (either 1 or multiple) to ports, so that other devices will not connect to that port if connected to it, or in line… or people just cant move ports without us easily resetting that binding.

We have a lot of Cisco 3750x series, going EOL 2021. We have a lot of money to invest in switching in the next 3 years, and with no response on this I think I will cross shop Cisco and Arista instead of Cisco and Extreme.

Its sad there is lack of participation here and a complete utter disregard for the customer.

RE: Mac based port security and removing / modifying configuration

Jose_Sanchez_As — Thu, 31 Dec 2020 05:45:00 GMT

Hello,

for EOS, devices, how to configure sticky learning mode in the port?

Best regards!