This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Locking a device to a specific port

Locking a device to a specific port

davidj_cogliane
Contributor

‎08-02-2018 01:39 PM

We have a customer who wants to lock specific MAC addresses to specific ports as a form of location tracking.
They want 10:20:30:40:50:ab to only be able to connect to ABC MDF port 1:1.
Is there a way to accomplish this in XOS on X460s and X440s?

Does any vendor support something like this? Not looking to sell another product, but hoping I can say the desired behavior is not an option on any vendors equipment.

As I currently understand it MAC locking does not work that way. I believe it works more like the example provided below.
10:20:30:40:50:ab is the only MAC allowed on ABC MDF port 1:1

10:20:30:40:50:ab is still able to connect to ABC IDF-1 port 2:2
0 Kudos
14 REPLIES 14

davidj_cogliane
Contributor
In response to davidj_cogliane

‎08-02-2018 04:31 PM

Ronald,

Thanks for the suggestion.

This has led me to an interesting rabbit hole though this will not help the customer in question because they have G1 switches, it could be useful in the future.

I am still trying to figure out how or even what the location gets configured on...
0 Kudos

Ronald_Dvorak
Honored Contributor
In response to davidj_cogliane

‎08-02-2018 04:31 PM

So MAC-auth with NAC isn't a great idea as that would mean 2.500 rules...

I don't have any experience with such service but could LLDP with ELIN work !?
Not in regards to locking the port but as a E911 solution.

https://documentation.extremenetworks.com/exos_commands_22.4/exos_21_1/exos_commands_all/r_configure...
0 Kudos

davidj_cogliane
Contributor
In response to davidj_cogliane

‎08-02-2018 04:31 PM

2,500 they are trying to prevent teachers from moving phones out of the room it belongs in. In the US they are implamenting E-911. My understanding is that the police needs to know what room or area of a building a call is coming from. As a result phone extensions are mapped to certain rooms and if the phone is on the other side of the building the police would be working with bad information. Apparently teachers don't understand the importance of safety and can not be trusted to not move phones around. So the tech department is trying to make the phones only work on a particular port.
0 Kudos

Ronald_Dvorak
Honored Contributor
In response to davidj_cogliane

‎08-02-2018 04:31 PM

You are correct - you'd need to lock all ports to avoid that but that is not what you are looking for = other MACs should be able to connect to every port available.

For how many MACs does the customer like to do that.... are we talking 10/100/1k ?
0 Kudos

AnonymousM
Valued Contributor II

‎08-02-2018 04:26 PM

You can either use static MAC entries or use MAC locking with a lern limit of 1. Then the first seen MAC will be converted into a static entry and all further MAC addresses will be discarded.
0 Kudos
GTM-P2G8KFN