On Dec 3, 2019, at 3:34 AM, Richard Laager <[log in to unmask]> wrote: > > Enforcing a single MAC address is straightforward if the only thing > plugged into the non-dedicated switch (on the "downstream" side) are > routers. But what happens if hypothetically Wiktel and Paul Bunyan want > to exchange an Ethernet circuit VLAN over the CNS switch? The CNS switch > is going to see more than just our router MAC addresses. CNS can't limit > us to one MAC on a per-port basis. Juniper QFX and MX have options for limiting number of mac addresses per logical interface and/or VLAN. A quick scrub of other common vendors (Cisco, Arista) have the same. I wouldn’t see it as unreasonable to *require* a remote switch operator by whatever means necessary to enforce a one MAC address limit on their extension switch per logical participant handoff.