This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Mac based port security and removing / modifying configuration

Mac based port security and removing / modifying configuration

kjstech
New Contributor II

ā€Ž06-07-2018 01:31 PM

I was trying to experiment with the EXOS version of what we do on our Cisco switches which is mac-address based security tied to a port.

Sometimes we will use the following cisco commands on a port for example:
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security mac-address sticky 484d.7e00.0000 vlan access
switchport port-security mac-address sticky 0004.f200.0001 vlan voice

Really we just type in the first two lines, and the switch automatically fills in the lines with the mac addresses as they are learned. If you plug a different device in, the port shuts down. If you plug one of those devices into a different port on the switch, the port shuts down. If moving devices or swapping devices we just issue a no in front of the command with the mac address we want to remove, after the cable is unplugged.

So I have a laptop here with two USB nics and I just want to try the EXOS equivalent of this, but limit it to learning one mac address, so I can verify with my second nic that the port will shut down.

I first found this on gtac kb:
configure port 2 vlan Default limit-learning 1 action stop-learning
However I get a network connection with either USB nic and sucessful pings. So it doesn't appear to be stoping anything.

Then I found this one on gtac kb:
configure mac-locking ports 2 first-arrival limit-learning 1
However the first command above is still on port 2 on this test switch, see below:
* X450G2-24p-G4.102 # sh configuration | grep learning
configure port 2 vlan Default limit-learning 1 action stop-learning
configure mac-locking ports 2 first-arrival limit-learning 1
How can I make the first line "go away"? I tried unconfigure port 2 vlan Default limit-learning 1 action stop-learning and it was invalid.

Also can you steer me in the right direction how to accomplish (and maintain) the equivalant Cisco feature on EXOS?

I eventually want to get this working in Netsight under Control with our nac VM. Were a very new install and though I have stuff in there on this test switch, it doesn't block traffic. I'm envisioning an easy to use and maintain place for the entire IT department of 6 to go in and add or remove mac addresses to a list. Basically if your mac address is in that list, you are on the network. If not, the port goes dead.

Thanks!

0 Kudos
9 REPLIES 9

Jose_Sanchez_As
New Contributor

ā€Ž12-30-2020 09:45 PM

Hello,

 

for EOS, devices, how to configure sticky learning mode in the port?

 

Best regards!

0 Kudos

Keith9
Contributor III

ā€Ž03-20-2019 01:31 AM

It doesnā€™t look like Patrick ever replied what he found during his testing. I would like a really easy and simple way to approach Mac based port security exactly like Cisco. The ports should be configured, allow 1 or 2 Mac addresses on it, then deny anything else on that port. If the device has to be replaced or move, we would want a simple one liner command to clear the macā€™s and allow the port to relearn and allow the next device that connects.

We we have a reason to allow 2 macs (many PCā€™s are connected through a Polycom phone), or in some cases multiple macs (like someone running VMware workstation with multiple machines).

I really hope someone has a way to easily replicate this Cisco bread and butter functionality on XOS. I have some older Cisco switches in some access closets hitting EOL soon and although I would consider replacing them with Extreme switches, the lack of Mac based port security has me looking at new Catalyst 9300ā€™s. Donā€™t get me wrong, we love our Extreme switches at the core which do all of our L3, OSPF and aggregation.
0 Kudos

Keith9
Contributor III
In response to Keith9

ā€Ž10-16-2019 05:39 PM

We are still looking for an easy way to bind mac addresses (either 1 or multiple) to ports, so that other devices will not connect to that port if connected to it, or in lineā€¦ or people just cant move ports without us easily resetting that binding.

 

We have a lot of Cisco 3750x series, going EOL 2021.  We have a lot of money to invest in switching in the next 3 years, and with no response on this I think I will cross shop Cisco and Arista instead of Cisco and Extreme.

 

Its sad there is lack of participation here and a complete utter disregard for the customer.  

0 Kudos

Patrick_Voss
Extreme Employee

ā€Ž06-07-2018 03:25 PM

kjstech,

Your timing is impeccable because I am working on mac locking with another customer in our lab. Based on the configuration it looks like the configure port command is on a per port and VLAN basis where mac locking is done at the overall port level and you can log and trap if you want.

I will let you know more info once I find it during my testing.
0 Kudos
Top
GTM-P2G8KFN