Hello,
Is it possible to limit the number of learned MAC addresses per interface like with Cisco’s switchport port-security maximum or mac-address-table limit commands?
I do not know whether you are talking about Switch chip features (there you could not limit the table),
http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features
For the regular Ethernet interfaces you can disable ARP, and build ARP table manually.
I still would like to have the ARP table built dynamically.
Most wireless equipment I currently use from Redline, Motorola, Waverider, Airspan, etc operate as bridges and all have the ability to limit the number of MAC addresses learned on the customer facing interface. I’m looking to emulate this functionality with Mikrotik.
Is this possible?
what would you want to happen when it hits the max? expire old arps and allow new ones in, or assume all the ones currently on at that moment to be static? You could use a script to do this same thing depending on how you want to implement it.
Some equipment I have expires old entries and allows the new entries, and some equipment retains learned hosts while not allowing new hosts to receive access once the limit is hit.
It would be nice to have the flexibility to go either route.
you could have a script that just counts the number of arp entries and changes the interface to allow / disallow arps on that threshold. Run the script every few seconds and it should be good to go?
if ([:len [/ip arp find interface=“0-inside”]] > 30) do={
/int ethernet set “0-inside” arp=disabled
} else={
/int ethernet set “0-inside” arp=enabled
}
pseudo code, not tested, but you get the idea…
I need this feature, Cisco’s port security to limit the number of Mac addresses learned … any development on this?
Hi Guys
We also require this feature on the switch chip, basically to only allow the number of mac’s configured on a port, any new devices conencted the switch chip just drops the traffic
This is possible on switch chips that are capable of ACL rules, you can find examples using CRS3xx and non-CRS1xx/CRS2xx devices here:
https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Port_Security
OK, but I need allow 1 non-specific MAC on interface (to prevent users connect switch and expand lan) since port came up. Setting specific MAC in host table is not solution for me.
Since many routers do not use switch chip, but bridges instead, this solution my work:
:local if "ether1"
if ([:len [/interface bridge host find where on-interface=$if]] > 30) do={
/interface ethernet set $if arp=disabled
} else={
/interface ethernet set $if arp=enabled
}
PS not tested.
CRS125 has that option “learn-limit” https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Port_Settings
I think, this is not solution, because disabling arp on interface in bridge does not have any effect. But I haven’t test it.
Thanks, this is what I need. Unfortunately, this option is only for CRS1xx/2xx series switches, newer series (CRS3xx) hasn’t it. And it is not included generally in bridge options usable for all RB.
many of us will miss the CRS 1xx/2xx switches, a lot more versatile and powerful than CRS3xx.
the sin and cause of limited success of CRS 1xx/2xx was their complex and unique way of configuring simple thinks like vlans, but the range of functionalities and versatility was magnificent
CRS3xx are a simpler switches, with less functionalities but simpler to configure, that make them much more popular and successful.
Maybe in a future when mikrotik manages to penetrate the switching market more significantly there is a space for a separate line of switches with advanced features like CRS1xx/2xx
CRS 1xx/2xx were too good to be an introductory product
There is no doubt CRS 3xx are more much successful than CRS1xx/2xx making a name for mikrotik in entry level manageable switching market
But https://wiki.mikrotik.com/wiki/SwOS/CRS3xx says Port Lock + Lock On First can be used under SwOS, so the hardware is capable of it - just RouterOS doesn’t support it (yet).