Due to some software issues with SwOS, we are wanting to move our CRS326 series switches to ROS. We use these to feed Internet to apartment units and really need the “Lock on First” and “Port Lock” features that SwOS has that only allow a single MAC address to associate with a switch port. This prevents an apartment resident from plugging in a switch in their apartment and using dozens of our public IPs.
I don’t see any way to duplicate that feature in ROS. Am I missing a feature somewhere to allow that?
Yes but the Client might have 2 different laptops and in some cases work with one or the other… So, if you limit the MAC address that can access the network, simply you deny him the use of any other equipment might have… So does the client know that can only use 1 specific device and nothing else ?
The client is supposed to only hook up the WAN port of their own personal router. We serve public IPs to the customers and each customer should only get one IP per apartment. That is what the lock on first and port lock feature allows. It works perfectly for us in SwOS and we are trying to duplicate that feature in ROS (due to stability issues with SwOS).
If you do this for authentication reasons, it doesn’t mean much. The MAC address can be easily changed in a router or in a computer.
You could install a pppoe server on the network, maybe even on CRS326. If there are few apartments, I don’t think it’s a problem for the switch processor.
Then each client logs in with the user / password.
I don’t know the MAC of each customer device and each time they buy a new router, I will have to get the MAC in advance to authorize the port. This is where “lock on first” is perfect in SwOS. It allows any MAC address to connect to the switch but it only allows one MAC address per port. Pull the device and plug a new one in - it now authorizes THAT device and only that device until it is physically disconnected. It does exactly what we want to do and we are using this feature on over 20 switches in many buildings. But, due to issues with SwOS (another thread for that problem), we want to move to ROS on the switches. But, this “lock on first” feature does not seem to be possible with ROS nor does another similar solution.
Yes, we can run PPPOE but now we have to give every resident a user/password and explain to them how to enter that into their routers, etc. That is going to cost us more in tech support than this is worth. The current solution works brilliantly but seems to be a SwOS only feature, I am afraid.
Maybe you could write a script that does a similar thing, but of course it will take some time to debug it and it will not be as convenient as a built-in feature…
But, this “lock on first” feature does not seem to be possible with ROS nor does another similar solution.
Something similar i do not think you will find in ROS…
But it is possible with many other ways…
Bridge Firewall as suggested earlier, with Bridge Reply-Only etc…, VLANs, PPPoE as others suggested …
This is not solution for me.
I can put an simple switch, under the CRS, and all the tráfic under the same switch will have the same vlan, and acces to the network.
I need only one mac have acces to the network.
regards
can you please elaborate?
If someone puts anything but a router there, for example an unmanaged switch, only one device attached to the switch will get an IP address with a dhcp pool of only 1.
The rest of devices connected will not pull an IP??
One can define the network such that the pool defined and the network only allow one or two IPs for example.