cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS | Mac-Locking vs Limit-learning/Lock-learning

EXOS | Mac-Locking vs Limit-learning/Lock-learning

csantos
New Contributor III

Hello,

We’re trying to upgrade our security level in the Access layer where we have EXOS stacks.

So, I was thinking to use Mac-locking to achieve our goals, because it is something that we already used in another customer, so, it’s very familiar.

However, a colleague of mine told me about limit-learning/lock-learning features. So what do you think about those? Should I go with mac-locking, or limit-learning/lock-learning?

Thanks in advance,

César Santos

1 ACCEPTED SOLUTION

SamPirok
Community Manager Community Manager
Community Manager

Hi Cesar, we welcome all kinds of posts related to Extreme on the Hub, theoretical or practical. And I’m sure we’re all familiar with the need to satisfy customer curiosity regarding different features.

Looking at your question here, mac-locking and limit-learning/lock-learning essentially do the same things. However, mac-locking prevents packets from being sent to the port if the destination MAC is not present, by removing the MAC entry from the FBD. This is an advantage over limit-learning/lock-learning, however if your traffic level is fairly low then you likely wouldn’t see much difference either way. 

Hope that helps!

View solution in original post

6 REPLIES 6

csantos
New Contributor III

Hi Jeronimo,

We’re alredy using DHCP snooping and 802.1X auth and Mac Auth. 

My problem here is with some “smart ones” that insist to connect some old Hubs to the network, even when the network admin explicitly says not to. The problem with those old Hubs is that they don’t send BPDUs to my EXOS stack. If they did, the bpdu-restrict feature would just simply put the port on disable state. The goal is that one. When someone connect an hub to the stacks, if the stack see more than just two MAC addresses (PC plus Phone) on the fdb table for a particular port, then it disables the port. I think Mac-locking is the best way to do that, because that will force the “smart ones” to contact the Network Admin. 

Regards,

César Santos

jeronimo
Contributor III

Mac Locking is probably better than nothing at all.

But you should probably evaluate the alternatives including dynamic authentication using Radius (Mac Auth / EAP) or maybe DHCP snooping.

GTM-P2G8KFN