Limit MAC Addresses

[mhoppes]

I know we can limit speeds by port.... is it possible to limit the number of MAC addresses associated with one port (say if I'm handing a port off to a customer and I want to prohibit them from connecting more than X devices?)

[adairw]

This would be a sweet feature and seems like it wouldn't be hard to code in if the switch chip supports it.

[wayneorack]

Wouldn't they still be able to connect whatever they wanted behind their NAT router? If it was that easy, the old rusty ISPs would have done it a long time ago!

[mhoppes]

@wayneorack - Yes, that's fine. What this is designed to combat is someone connecting many devices to a switch port and overloading the MAC table in the switch/causing other issues on an EVC type of setup.

adair and I are both on the same page here..... Chris is going to curse and swear though

[wayneorack]

@wayneorack - Yes, that's fine. What this is designed to combat is someone connecting many devices to a switch port and overloading the MAC table in the switch/causing other issues on an EVC type of setup.

Duh! Thanks!

.... Chris is going to curse and swear though

I like a good show!

[lligetfa]

Wouldn't they still be able to connect whatever they wanted behind their NAT router? If it was that easy, the old rusty ISPs would have done it a long time ago!

That is an old cat-and-mouse game. You counter by setting TTL to 1. They counter by incrementing TTL on their router. You counter with 802.1X...

On my last job I had a problem where people were buying cheap switches and shoving them under their desk to connect printers they were not supposed to have. I also had IT coworkers (programmers) that thought they were network x-spurts buying cheap switches to add more ports. Another problem I had was unauthorized and undocumented moves. It was a chore to hunt down where the equipment was moved to.

I got tired of playing whack-a-mole, hunting the rogues down and planned to limit the switch ports to just one MAC to begin with and then later to lock it down so the MAC could not be moved by anyone but me. That was about the time all my coworkers got laid off and I didn't have the time to implement it. Also my budget got cut so I could not replace the old switches that would not support it.

[mhoppes]

There's another perfect use of it, Les. I had not even though about that, but yes allowing only a specific MAC to attach (for example if I'm demarcing to a customer and want to limit what they may plug into a port)... or let's say at a shared tower site where the switch is not in an enclosure... I might disable all ports and MAC lock active ports so if someone plugs something else in they can't access the network.

[wayneorack]

)... or let's say at a shared tower site where the switch is not in an enclosure...

I think leaving the high amperage 48 VDC POE on all the time will fix that!

[mhoppes]

That's the current solution... no pun.

[lligetfa]

)... or let's say at a shared tower site where the switch is not in an enclosure...

I think leaving the high amperage 48 VDC POE on all the time will fix that!

That is like the ECM that SAT TV used to do to fry bootleg cards.

On my last job I had my Fluke NMS email me when a rogue MAC showed up on my network. With the Fluke WGA I could do a trace switchroute and find what port they connected on and disable the port and grab my walking stick I kept behind the door.