This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EXOS | Mac-Locking vs Limit-learning/Lock-learning

EXOS | Mac-Locking vs Limit-learning/Lock-learning

Go to solution
csantos
New Contributor III

‎08-17-2020 04:16 PM

Hello,

We’re trying to upgrade our security level in the Access layer where we have EXOS stacks.

So, I was thinking to use Mac-locking to achieve our goals, because it is something that we already used in another customer, so, it’s very familiar.

However, a colleague of mine told me about limit-learning/lock-learning features. So what do you think about those? Should I go with mac-locking, or limit-learning/lock-learning?

Thanks in advance,

César Santos

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
SamPirok
Community Manager Community Manager
Community Manager

‎08-17-2020 06:59 PM

Hi Cesar, we welcome all kinds of posts related to Extreme on the Hub, theoretical or practical. And I’m sure we’re all familiar with the need to satisfy customer curiosity regarding different features.

Looking at your question here, mac-locking and limit-learning/lock-learning essentially do the same things. However, mac-locking prevents packets from being sent to the port if the destination MAC is not present, by removing the MAC entry from the FBD. This is an advantage over limit-learning/lock-learning, however if your traffic level is fairly low then you likely wouldn’t see much difference either way. 

Hope that helps!

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
csantos
New Contributor III

‎08-17-2020 04:44 PM

Hi Jeronimo,

We’re alredy using DHCP snooping and 802.1X auth and Mac Auth. 

My problem here is with some “smart ones” that insist to connect some old Hubs to the network, even when the network admin explicitly says not to. The problem with those old Hubs is that they don’t send BPDUs to my EXOS stack. If they did, the bpdu-restrict feature would just simply put the port on disable state. The goal is that one. When someone connect an hub to the stacks, if the stack see more than just two MAC addresses (PC plus Phone) on the fdb table for a particular port, then it disables the port. I think Mac-locking is the best way to do that, because that will force the “smart ones” to contact the Network Admin. 

Regards,

César Santos

0 Kudos

Go to solution
jeronimo
Contributor III

‎08-17-2020 04:26 PM

Mac Locking is probably better than nothing at all.

But you should probably evaluate the alternatives including dynamic authentication using Radius (Mac Auth / EAP) or maybe DHCP snooping.

0 Kudos
GTM-P2G8KFN