Limit MAC Addresses

[wayneorack]

So much for BYOD!

[mhoppes]

So we never heard from the switch guys... is this possible?

[MonkeyDan]

We'd be interested in this feature too, if possible.

[sirhc]

If we put this feature in (if it can be done) what prevents the customer from using a NAT Router and by-passing this?

[lligetfa]

NAT would keep the MAC table size down unless the sub gets jiggy with proxy ARP.

@wayneorack - Yes, that's fine. What this is designed to combat is someone connecting many devices to a switch port and overloading the MAC table in the switch/causing other issues on an EVC type of setup...

[mhoppes]

Exactly - a NAT router is fine, that solves the issue being taken care of here.

If I hand off a port to a customer and limit it to one MAC address, I don' t care if they connect a single computer, router, or a NAT firewall with 50 devices behind it. What I want to stop is the customer connecting 50 devices to the switched transport network.

[sirhc]

Exactly - a NAT router is fine, that solves the issue being taken care of here.

If I hand off a port to a customer and limit it to one MAC address, I don' t care if they connect a single computer, router, or a NAT firewall with 50 devices behind it. What I want to stop is the customer connecting 50 devices to the switched transport network.

Can't you limit this at the router level?

We VLAN each switch port to a virtual sub interface on the router so when you do this and if you only assign a /30 sub-net to that interface they can only have a single device connected as they can not get anywhere without a valid IP?

I try VERY HARD to limit Layer 2 Access to my network and when they do get layer 2 access they are on a virtual interface with only them and their sub-net.

[mhoppes]

Yes, the customer is VLANed, but that doesn't stop them from being able to connect many multiple devices.

[sirhc]

Yes, the customer is VLANed, but that doesn't stop them from being able to connect many multiple devices.

Matt, if the Customer is VLAN'ed all the way back to the router he dumps out onto as virtual interface that he shares with no other user.

If you only assign a single subnet to that "virtual" interface in the router then he can only connect a single unit.

For instance if you assign a subnet of: 200.200.200.0/30 to that virtual interface he can only connect a single device if wants to actually do anything which would be IP address 200.200.200.200.2 with a gateway of 200.200.200.1 with a subnet of 255.255.255.252

[mhoppes]

That doesn't stop him from connecting other devices and polluting the MAC table though, or in the case of an EVC connecting two locations, the customer may try to push their entire network down the pipe converging 500 or more MAC addresses on the interface.

Plus, let's say I want to do access control. I may want to limit access on a switch port to only a single MAC address that I lock down so someone can't plug another device in.