RB2011UAS-2HnD with latest OS/fw.
Is it possible to set static mac address for a certain switch port so that no other host/mac is allowed - much like port security?
It doesn’t seem to be possible to define a rule to drop any mac address under
/interface ethernet switch host
With host entry to drop mac 00:00:00:00:00:00 this doesn’t seem to work as a new dynamic entry is added when a new host is plugged, so this automatically allows the newcomer.
Should be a fairly simple option?
use pppoe server on that port, without any other service/ip/config
Thanks for the fast response!
Uh this should be a switchport functionality so no CPU involved…
You neeed it to MANAGE or for data only from one device?
VLAN can be one option?
I edited the first post for more clarification…
I want to drop all incoming packets with MAC other than aaaa.bbbb.cccc just like port security on e.g. cisco switch works. Switchport functionality only.
“You” can make one script… schedule it on reasonable time.
supposing ether1 is the interface you want “block”, switch1 the switch where port are linked, and aa:bb:cc:dd:ee:ff the only MAC you want accept:
:foreach i in=[/interface ethernet switch host find where mac-address!=aa:bb:cc:dd:ee:ff and ports=ether1 and dynamic=yes] do={
:local currMAC value=[/interface ethernet switch host get $i value-name=mac-address];
/interface ethernet switch host remove [find where mac-address=$currMAC and ports=ether1 and dynamic=yes];
/interface ethernet switch host add mac-address=$currMAC drop=yes ports=ether1 switch=switch1;
};
not sure if its gonna work as intended, but you could try something like
add new-vlan-priority=0 ports=etherX src-mac-address=\
01:02:03:04:05:06/01:02:03:04:05:06
add new-dst-ports="" ports=etherX src-mac-address=\
00:00:00:00:00:00/FF:FF:FF:FF:FF:FF
where 01:02:03:04:05:06 is the allowed MAC, and 2nd rule is last for the given port.
Same question as OP.
How can i set up a Cisco-like port security on MikroTik switch?
What i mean is allow only one mac on that port.
Hello, CRS1xx/2xx series switches support such feature:
https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Limited_MAC_Access_per_Port
re: Cisco-like port security
FYI
I don’t want to scare anybody or post what we know - however …
We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
I’m not trying to be scary - I am however stating :
Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)
Tom Jones
Thank You!
Would You care to elaborate any further?
Is this perhaps vtp related? Are static vlans affected?
Did You test the same thing on MikroTik? How did it go?
Re: Would You care to elaborate any further?
Not much at this time. I am still looking for other vulnerabilities when on Cisco switches connected to VoIP phones.
FYI - this is not specifically a Cisco thing , it is a related to but not necessarily a VoIP thing and how things are configured
Re: Is this perhaps vtp related? Are static vlans affected?
Kinda (not vtp domain related) but Vlan related
Re: Did You test the same thing on MikroTik? How did it go?
I used a Cisco switch & PC & a Mikrotik something we all have access to and might already own
North Idaho Tom Jones