I believe you are asking whether a single firstarrival source MAC address learned on a single switch port can be used to deny ingress of that same MAC address throughout the remainder of the network.
Your reference to the 6.61 firmware line would include the SecureStack A4/B3/B5/C3/C5-Series, the G-Series, and the I-Series switches.
A key point is that any MAC Locking configuration will regulate all ethernet ports controllable under that configuration.
So for the SecureStack products, this might include the ports of as many as eight switches which are members of a given stack.
For the G-Series and I-Series, it would include only the ports of the one switch unit.
For a network-wide treatment to be applied in response to any given dynamically-learned MAC address, I know of no means of doing this if the network is larger than just a given switch or stack, with connected clients.
For a network-wide treatment to be applied in response to any given statically-configured MAC address, I'd consider using NetSight Policy Manager to deny ingress of that source MAC address on all ethernet ports except the one through which it is permitted to function - then enforce that policy to all switches on the network. That requires manual effort and ongoing vigilance, and is not particularly scalable in terms of the number of policy rules that this type of thing could consume for many MAC addresses - thus is not practical for anything other than a limited implementation.
In short: No, with possible workarounds.
I'll be interested to see if there are any other approaches suggested.
