Extreme Networks

mkraft · ‎01-08-2021

Hi,

we want to set a MAC limit (1) on a VLAN on a port. The MAC is to be permanently configured and every packet that does not come from the MAC on the VLAN is to be discarded and not forwarded or otherwise stored/recorded. Of course there are other VLANs on the port, which should not be affected by this.

Idea:

# create fdb <MAC> vlan <VLAN> ports <PORT>
# configure ports <PORT> vlan <VLAN> limit-learning 0 action stop-learning

Question: can we create a ACL for this? and if yes, how it would look like?

many thx in advance 🙂

Stefan_K_ · ‎01-08-2021

I believe this is an switch uplink?

If you use an ACL you don’t need to limit learning and so on. An ACL could look like this:

entry permit_MAC {
if match any {
ethernet-source-address xx:xx:xx:xx:xx:xx;
ethernet-destination-address xx:xx:xx:xx:xx:xx;
} then {
permit;
}
}

entry block_all {
if {
}
then {
deny;
}
}

ACL must be applied on the specific vlan. I didn’t test it.

In order to help you better, more information is neccessary. If we know what and why you try to achieve, we might find a better solution. Maybe we even have an XY-Problem.

View solution in original post

mkraft · ‎01-11-2021

Hi,

thx Stefan and Miguel. I actually dont know much about the problem (customer asking). I’ve just posted his question, translated, 🙂

I gave hime both Solutions (Port Security à la Cisco and the ACL). He should be happy by now.

Regards

Miguel-Angel_RO · ‎01-09-2021

Hi Max,

As mentoinned by @Stefan K. you should describe more deeply your use case to get a more precise solution.

For example, on ERS switches if you perform an authentication on the port you can limit the number of concurrent MACs to be allowed on the port.