Community discussions

MikroTik App
 
PeterF
just joined
Topic Author
Posts: 2
Joined: Tue Nov 26, 2019 10:42 am

Solved: ACL Limits meaning  [SOLVED]

Tue Nov 26, 2019 11:02 am

Hello,

I have a question about SwOS, in the specifications for Switches with SwOS you can find it under the item
Access Control List - Up to 32 ACL rules (limited by SwOS)

What exactly is limited there.
Does this mean that I can only share 32 MAC addresses for one port? (All locks except those on the whitelist.)
Or can I create 32 lists in which I can store as many MAC addresses as I want that I can enable on the ports.

Concrete case:
I have several offices with one switch each. All employees have at least one laptop and further BlackBox hardware. Only known devices (MACs) may be connected to the switches.
So in each switch all ports must block unknown MACs and all known devices (MACs) must be allowed. So there must be about 60-70 MAC addresses stored, which are allowed to communicate via the switches.

Or can this only be controlled via RouterOS on the switch?
I think so towards MikroTik Cloud Router Switch - CRS326-24G-2S+RM

I am looking forward to receiving more information about this specification.

Regards
Peter

(Edit: Copy wrong Switch Type)
Last edited by PeterF on Thu Nov 28, 2019 8:34 am, edited 1 time in total.
 
PeterF
just joined
Topic Author
Posts: 2
Joined: Tue Nov 26, 2019 10:42 am

Re: ACL Limits meaning

Thu Nov 28, 2019 8:33 am

Got replay by MikroTik Support:

Hello,

As you found out, the limit for ACL is 32 rules in SwOS , meaning that unfortunately you cannot setup 60-70 allowed MAC
addresses. However you can do this running RouterOS, as limit there is 128 ACL rules,

In RouterOS there are couple of way to limit hosts that can connect to your network:

1) You could make static ARP entry for allowed device, and on interface set "arp=reply-only"

2) You can use switch rules, along with adding static bridge host entries and disabling mac learning, like in this example: https://wiki.mikrotik.com/wiki/Manual:C ... t_Security

3) You could setup dot1x server/client setup to authorize your devices.

4) Bridge filter will work only on non-hardware offloaded ports, on hardware offloaded ports, you need to use switch rules.

Best regards,



Guntis G.

---

Solved and can be closed.

Who is online

Users browsing this forum: No registered users and 11 guests