Posted on June 20, 2019 7:52 pm
 |  Asked by paul rattu
Print Friendly, PDF & Email

Hi everyone. I’m trying to block multiple mac addresses from connecting to our network via Ethernet. Is it possible to block the MAC address on the switch itself? I have an s4810 switch

Posted by Alexis Dacquay
Answered on June 20, 2019 9:52 pm

Are you asking Arista about a Force10 switch?
Nevertheless, you can use a Layer2 MAC ACL to filter MAC addresses (mac access-list), or use MAC Port-security to allow a certain amount of dynamically learnt MAC addresses, and after that all the others would be blocked.
What Arista switch model are you using?
Can you detail your use case?

Posted by Aesha Parikh
Answered on June 20, 2019 10:14 pm

Hi Paul,

I do not identify s4810 platform. Below are platform independent approaches on any arista switches to block mac addresses. There are 2 ways I can think of.

1. Use statically configured MAC ACL to deny access to the ethernet port
switch(config)#mac access-list mac-filter
switch(config-mac-acl-mac-filter)#permit 10.1000.0000 0.0.FFFF any arp

Command Syntax
default permit SOURCE_ADDR DEST_ADDR [PROTOCOL] [log]
• SEQ_NUM Sequence number assigned to the rule. Options include:
• SOURCE_ADDR and DEST_ADDR source and destination address filters. Options include:
• mac_address mac_mask MAC address and mask
• any Packets from all addresses are filtered.
mac_address specifies a MAC address in 3×4 dotted hexadecimal notation
mac_mask specifies a MAC address mask in 3×4 dotted hexadecimal notation
• 0 bits require an exact match to filter
• 1 bits filter on any value

Check config manual for more details

2. Use port-security with protect mode to allow only first learned mac addresses until maximum allowed number is reached and then blocking any new ones. This is done by creating a dynamic MAC ACL.
Arista(config)# interface Et3/1
Arista(config-if-Et3/1)# switchport port-security violation maximum 5
Arista(config-if-Et3/1)# switchport port-security violation protect

In the above example, mac addresses will be put in allowed list in mac acl and after 5 mac addresses, all new mac addresses will be blocked.


Posted by paul rattu
Answered on June 21, 2019 6:34 pm

My mistake! This question was meant for Arista EOS, I mixed myself up with the s4810. Thanks for the suggestions, I’ll try them out immediately.

Posted by james Douglas
Answered on June 26, 2019 1:22 am

followup to this question…i can write this to each of my switches themselves or do i need cvp or some other tool like ansible to manage the mac addresses allowed

Post your Answer

You must be logged in to post an answer.