This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

In EXOS how can I duplicate Cisco's switchport port-security mac-address sticky command?

In EXOS how can I duplicate Cisco's switchport port-security mac-address sticky command?

Go to solution
Keith9
Contributor III

‎07-17-2019 07:37 PM

We would like to lock down switchports on Exteme X450-G2's so nobody can move or connect their own equipment and obtain network access. We currently do this today with Cisco switches and the configuration is done on a port by port basis. Its very easy to do on Cisco simply by a few commands to tell the maximum number of mac addresses on a port (2 for example if passing through a VOIP phone). and mac-address sticky which automatically populates with the mac address upon the device making a connection.

So an example in the Cisco world for a typical end user port that passes through a phone:

interface GigabitEthernet1/0/20
description D56
switchport mode access
switchport voice vlan 172
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 1866.da09.xxxx
switchport port-security mac-address sticky 0004.f2b2.xxxx vlan voice
switchport port-security
ip access-group acl1 in
mls qos trust dscp
spanning-tree portfast edge
!

Or if just one device is connected, its a little easier (you don't need to give it a maximum)
interface GigabitEthernet1/0/21
description D102
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 9cae.d386.xxxx
switchport port-security
ip access-group acl1 in


Lets say I need to upgrade a computer or move a computer on Gi1/0/20 above. I would simply unplug the network port from the back of the computer and on the switch I would enter config mode and go into int Gi1/0/20 and enter:
no switchport port-security mac-address sticky 1866.da09.xxxx
then exit config mode.
I would plug in the new machine and since that port has a maximum of 2 and I removed just one of the MAC's, upon the new machine powering on, the switch would automatically add the new mac address to the configuration. I would wr mem and be done with it.

What is the most straighforward way to accomplish the same thing in the EXOS world?

Thank you for your assistance!
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Bill_Handler
Contributor II

‎07-18-2019 01:18 PM

Mac-Locking should work for you...

To allow 2 clients/MAC Addresses to be on the port:

configure mac-locking ports first-arrival limit-learning 2

There are other commands related that will allow for actions when the port goes down etc. All listed in the CLI guide.

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
Keith9
Contributor III

‎10-21-2019 09:00 PM

Yes I got that to work.  I was just curious if I was missing something to have the switch retry the port if the original device is plugged back in.  Cisco has an errdisable recovery timer which I think we have set to 30 (seconds).  I got the port violations to log but I can’t get netsight to email alert me.  Strange because I have no issues getting ospf alerts.

0 Kudos

Go to solution
FredrikB
Contributor II

‎10-21-2019 07:35 PM

How would you like it to work?

I guess this is one thing you’d like:

configure mac-locking ports port_list learn-limit-action remain-enabled

From the EXOS user guide:

“Disable/Enable port when MAC threshold is reached

This command is used to configure the disabling of ports when the configured MAC threshold is met.
This is used for both “first arrival” and “static” MAC locking methods.
configure mac-locking ports port_list learn-limit-action [disable-port |remain-enabled]
The port is disabled when the configured MAC threshold is met. All the FDB entries learned on this port
are flushed as the port is disabled. This configuration can be reset using the clear mac-locking
disabled-state ports port_list command. When MAC locking is disabled on the port, the
port comes back up.

Clearing the Disabled-state of a Port
This command is used to return the behavior of first arrival MAC locking with link state change to its
default value of enabled.
clear mac-locking disabled-state ports port_list

Delete Static MAC Locking Entries
To delete MAC locking for all static MAC address or the specified static MAC address on the given port,
use the following command:
configure mac-locking ports port_list static delete station
[station_mac_address | all]

Clearing MAC Locking entries
The following command is used to clear MAC locking station entries for the given parameters:
clear mac-locking station [all | {mac station_mac_address} {firstarrival
| static} {ports port_list}]”

 

Have a look in the user guide (page 898 in the 22.6 version).

 

/Fredrik

0 Kudos

Go to solution
Keith9
Contributor III

‎10-16-2019 06:24 PM

Ok I found a series of commands that seem to work.  It does learn 1 MAC address.  I then plug in a different device and the port disables.  The issue is that when I plug back in the original device, the port is still down.  It’s like I have to disable and enable the port.  At least Cisco retries in 30 secs (errdisable-recovery).  The more automated the better.

0 Kudos

Go to solution
Bill_Handler
Contributor II

‎07-18-2019 01:18 PM

Mac-Locking should work for you...

To allow 2 clients/MAC Addresses to be on the port:

configure mac-locking ports first-arrival limit-learning 2

There are other commands related that will allow for actions when the port goes down etc. All listed in the CLI guide.
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN