Print

Print


On 12/03/2019 03:34 AM, Richard Laager wrote:
[log in to unmask]" type="cite"> 
On 12/2/19 10:30 AM, Steve Howard wrote:

If supported by the remote switch, enforce a specific MAC address
requirement on the MICE VLAN for remote switches.

I'm not 100% sure I follow your example here.

Enforcing a single MAC address is straightforward if the only thing
plugged into the non-dedicated switch (on the "downstream" side) are
routers. But what happens if hypothetically Wiktel and Paul Bunyan want
to exchange an Ethernet circuit VLAN over the CNS switch? The CNS switch
is going to see more than just our router MAC addresses. CNS can't limit
us to one MAC on a per-port basis.

Are you saying that a remote switch would use a layer 2 ACL to limit the
source MAC transmitting into the MICE VLAN while allowing other MACs on
other VLANs? Is this a relatively common feature? Is this something that
you feel would be reasonable to _require_ of a non-dedicated switch?

I was thinking of Cisco's port-security feature for the CNS remote.  That would limit each VLAN to specific mac address(es).  Per Andrew's message, I believe this feature is available from other manufacturers. 

Below is an example config that I installed on the CNS remote for testing.  I think requiring something like this would provide a reasonable balance between protecting the exchange and allowing a switch to be non-dedicated.  Additionally, I'd be in favor of mac-address restrictions on all of the MICE switches whether dedicated or not.

interface Ethernet1/40
  description Test
  switchport mode trunk
  mtu 9216
  switchport port-security maximum 5
  switchport port-security
  switchport port-security mac-address AAAA.AAAA.AAAA vlan 847
  switchport port-security mac-address AAAA.AAAA.AA01 vlan 1067
  switchport port-security mac-address AAAA.AAAA.AA02 vlan 1068
  switchport port-security mac-address AAAA.AAAA.AA03 vlan 1068
  switchport port-security mac-address AAAA.AAAA.AA04 vlan 1068


To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1