Posted on June 20, 2019 7:52 pm
 |  Asked by paul rattu
 |  123 views
0
0
Print Friendly, PDF & Email

Hi everyone. I’m trying to block multiple mac addresses from connecting to our network via Ethernet. Is it possible to block the MAC address on the switch itself? I have an s4810 switch

0
Posted by Alexis Dacquay
Answered on June 20, 2019 9:52 pm

Hi,
Are you asking Arista about a Force10 switch?
Nevertheless, you can use a Layer2 MAC ACL to filter MAC addresses (mac access-list), or use MAC Port-security to allow a certain amount of dynamically learnt MAC addresses, and after that all the others would be blocked.
What Arista switch model are you using?
Can you detail your use case?

0
Posted by Aesha Parikh
Answered on June 20, 2019 10:14 pm

Hi Paul,

I do not identify s4810 platform. Below are platform independent approaches on any arista switches to block mac addresses. There are 2 ways I can think of.

1. Use statically configured MAC ACL to deny access to the ethernet port
switch(config)#mac access-list mac-filter
switch(config-mac-acl-mac-filter)#permit 10.1000.0000 0.0.FFFF any arp

Command Syntax
[SEQ_NUM] permit SOURCE_ADDR DEST_ADDR [PROTOCOL] [log]
no permit SOURCE_ADDR DEST_ADDR [PROTOCOL] [log]
default permit SOURCE_ADDR DEST_ADDR [PROTOCOL] [log]
Parameters
• SEQ_NUM Sequence number assigned to the rule. Options include:
• SOURCE_ADDR and DEST_ADDR source and destination address filters. Options include:
• mac_address mac_mask MAC address and mask
• any Packets from all addresses are filtered.
mac_address specifies a MAC address in 3×4 dotted hexadecimal notation
(hhhh.hhhh.hhhh)
mac_mask specifies a MAC address mask in 3×4 dotted hexadecimal notation
(hhhh.hhhh.hhhh)
• 0 bits require an exact match to filter
• 1 bits filter on any value

Check config manual for more details
https://www.arista.com/assets/data/pdf/user-manual/um-books/EOS-4.22.0F-Manual.pdf

2. Use port-security with protect mode to allow only first learned mac addresses until maximum allowed number is reached and then blocking any new ones. This is done by creating a dynamic MAC ACL.
Arista(config)# interface Et3/1
Arista(config-if-Et3/1)# switchport port-security violation maximum 5
Arista(config-if-Et3/1)# switchport port-security violation protect

In the above example, mac addresses will be put in allowed list in mac acl and after 5 mac addresses, all new mac addresses will be blocked.
https://eos.arista.com/eos-4-15-3f/portsec/

Thanks,
Aesha

0
Posted by paul rattu
Answered on June 21, 2019 6:34 pm

My mistake! This question was meant for Arista EOS, I mixed myself up with the s4810. Thanks for the suggestions, I’ll try them out immediately.

0
Posted by james Douglas
Answered on June 26, 2019 1:22 am

followup to this question…i can write this to each of my switches themselves or do i need cvp or some other tool like ansible to manage the mac addresses allowed

Post your Answer

You must be logged in to post an answer.