https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27938#M75 Hi Tom,<BR /> <BR /> did you look into the <I>Secure MAC</I> feature?<BR /> <BLOCKQUOTE>You can configure a MAC address to be permitted only on a specified set of ports. Secure MAC addresses, if learned, are still aged out like other dynamically learned entries, and can also be cleared. To configure the authorized set of ports on which the MAC address should be permitted, use the following command:<BR /> <BR /> create fdbentry secure-mac <MAC_ADDRESS> vlan <VLAN name=""> ports <BR /> <BR /> To clear all the dynamic, non-permanent blackholed entries that were created as a result of secure MAC violations, use the following command:<BR /> <BR /> clear fdb blackhole<BR /> <BR /> To see the number of blackhole entries created as a result of secure MAC violations, use the following command:<BR /> <BR /> show vlan <VLAN_NAME> security<BR /> <BR /> The output of the show fdb permanent command indicates secure MAC addresses.<BR /> </VLAN_NAME></VLAN></MAC_ADDRESS></BLOCKQUOTE>Regarding the explicit deny, you could deny all IP traffic without checking the MAC address.<BR /> <BR /> Thanks,<BR /> Erik Thu, 08 Jun 2017 14:33:00 GMT Erik_Auerswald 2017-06-08T14:33:00Z https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27937#M74 I am trying to figure out how to enable port security on Extreme Summit 300-24 switches. Cisco provides this as a configurable feature. I don't believe Extreme has a comparable feature so I have been trying to use access lists to perform the same basic function. I have no problem creating the necessary access-msk and acl to permit a specific source mac address and apply it to a specific port but I believe I also have to create a deny all source mac acl entry to implicitly deny all other source mac addresses. It does not appear as though I can use wildcard for the implicit deny. <BR /> Does anyone have knowledge on how to accomplish this?<BR /> <BR /> Thank you<BR /> Wed, 07 Jun 2017 02:31:00 GMT https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27937#M74 Tom_Gavin 2017-06-07T02:31:00Z https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27938#M75 Hi Tom,<BR /> <BR /> did you look into the <I>Secure MAC</I> feature?<BR /> <BLOCKQUOTE>You can configure a MAC address to be permitted only on a specified set of ports. Secure MAC addresses, if learned, are still aged out like other dynamically learned entries, and can also be cleared. To configure the authorized set of ports on which the MAC address should be permitted, use the following command:<BR /> <BR /> create fdbentry secure-mac <MAC_ADDRESS> vlan <VLAN name=""> ports <BR /> <BR /> To clear all the dynamic, non-permanent blackholed entries that were created as a result of secure MAC violations, use the following command:<BR /> <BR /> clear fdb blackhole<BR /> <BR /> To see the number of blackhole entries created as a result of secure MAC violations, use the following command:<BR /> <BR /> show vlan <VLAN_NAME> security<BR /> <BR /> The output of the show fdb permanent command indicates secure MAC addresses.<BR /> </VLAN_NAME></VLAN></MAC_ADDRESS></BLOCKQUOTE>Regarding the explicit deny, you could deny all IP traffic without checking the MAC address.<BR /> <BR /> Thanks,<BR /> Erik Thu, 08 Jun 2017 14:33:00 GMT https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27938#M75 Erik_Auerswald 2017-06-08T14:33:00Z https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27939#M76 Hi Tom,<BR /> <BR /> In ExtremeWare you can enable lock learning on a port to lock the currently learned MAC address and not allow any other MACs to be learned on the specified port. The syntax for the command with its options is as follows:<BR /> <BR /> configure ports vlan <VLAN name=""> [limit-learning <NUMBER> | lock-learning | <BR /> unlimited-learning | unlock-learning]<BR /> <BR /> For example if you would like to locked the learned MAC for a device attached to port 1 that is part, the command will be:<BR /> <BR /> configure ports 1 vlan <VLAN name=""> lock-learning<BR /> <BR /> Please let us know if you have any questions.<BR /> Thank you.<BR /> <BR /> Best regards,<BR /> Andrew <BR /> <BR /></VLAN></NUMBER></VLAN> Thu, 08 Jun 2017 15:03:00 GMT https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27939#M76 Andrew_Imam 2017-06-08T15:03:00Z https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27940#M77 <BR /> Andrew,<BR /> <BR /> Tried it and it works great.<BR /> It does not get much easier than that! <BR /> <BR /> Thank you<BR /> Tom Thu, 08 Jun 2017 15:03:00 GMT https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27940#M77 Tom_Gavin 2017-06-08T15:03:00Z https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27941#M78 Hi Tom,<BR /> <BR /> Thanks for the update. I am glad that it worked for you.<BR /> <BR /> Best regards,<BR /> Andrew<BR /> Thu, 08 Jun 2017 15:03:00 GMT https://community.extremenetworks.com/t5/security/permit-specific-mac-address-per-port/m-p/27941#M78 Andrew_Imam 2017-06-08T15:03:00Z