Community discussions

MikroTik App
 
blake
Member
Member
Topic Author
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Limit number of MAC addresses per interface

Mon Jun 07, 2010 11:30 am

Hello,

Is it possible to limit the number of learned MAC addresses per interface like with Cisco's switchport port-security maximum or mac-address-table limit commands?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Limit number of MAC addresses per interface

Mon Jun 07, 2010 1:20 pm

I do not know whether you are talking about Switch chip features (there you could not limit the table),
http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features

For the regular Ethernet interfaces you can disable ARP, and build ARP table manually.
 
blake
Member
Member
Topic Author
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: Limit number of MAC addresses per interface

Mon Jun 07, 2010 7:28 pm

I still would like to have the ARP table built dynamically.

Most wireless equipment I currently use from Redline, Motorola, Waverider, Airspan, etc operate as bridges and all have the ability to limit the number of MAC addresses learned on the customer facing interface. I'm looking to emulate this functionality with Mikrotik.

Is this possible?
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Limit number of MAC addresses per interface

Mon Jun 07, 2010 8:58 pm

what would you want to happen when it hits the max? expire old arps and allow new ones in, or assume all the ones currently on at that moment to be static? You could use a script to do this same thing depending on how you want to implement it.
 
blake
Member
Member
Topic Author
Posts: 426
Joined: Mon May 31, 2010 10:46 pm
Location: Arizona

Re: Limit number of MAC addresses per interface

Mon Jun 07, 2010 9:01 pm

Some equipment I have expires old entries and allows the new entries, and some equipment retains learned hosts while not allowing new hosts to receive access once the limit is hit.

It would be nice to have the flexibility to go either route.
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Limit number of MAC addresses per interface

Mon Jun 07, 2010 10:02 pm

you could have a script that just counts the number of arp entries and changes the interface to allow / disallow arps on that threshold. Run the script every few seconds and it should be good to go?

if ([:len [/ip arp find interface="0-inside"]] > 30) do={
/int ethernet set "0-inside" arp=disabled
} else={
/int ethernet set "0-inside" arp=enabled
}


pseudo code, not tested, but you get the idea...
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Limit number of MAC addresses per interface

Fri Sep 22, 2017 5:18 am

I need this feature, Cisco's port security to limit the number of Mac addresses learned ... any development on this?
 
chubbs596
Frequent Visitor
Frequent Visitor
Posts: 90
Joined: Fri Dec 06, 2013 6:07 pm

Re: Limit number of MAC addresses per interface

Fri Jun 29, 2018 1:20 pm

Hi Guys

We also require this feature on the switch chip, basically to only allow the number of mac's configured on a port, any new devices conencted the switch chip just drops the traffic
 
User avatar
artz
MikroTik Support
MikroTik Support
Posts: 88
Joined: Tue Oct 17, 2017 5:51 pm
Location: Riga
Contact:

Re: Limit number of MAC addresses per interface

Fri Jun 29, 2018 2:27 pm

This is possible on switch chips that are capable of ACL rules, you can find examples using CRS3xx and non-CRS1xx/CRS2xx devices here:
https://wiki.mikrotik.com/wiki/Manual:C ... t_Security
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Limit number of MAC addresses per interface

Wed Sep 18, 2019 7:56 pm

This is possible on switch chips that are capable of ACL rules, you can find examples using CRS3xx and non-CRS1xx/CRS2xx devices here:
https://wiki.mikrotik.com/wiki/Manual:C ... t_Security
OK, but I need allow 1 non-specific MAC on interface (to prevent users connect switch and expand lan) since port came up. Setting specific MAC in host table is not solution for me.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Limit number of MAC addresses per interface

Wed Sep 18, 2019 9:20 pm

Since many routers do not use switch chip, but bridges instead, this solution my work:
:local if "ether1"
if ([:len [/interface bridge host find where on-interface=$if]] > 30) do={
  /interface ethernet set $if arp=disabled
} else={
  /interface ethernet set $if arp=enabled
}
PS not tested.
 
slx2
just joined
Posts: 3
Joined: Wed Sep 19, 2018 12:07 pm
Location: Poland

Re: Limit number of MAC addresses per interface

Wed Sep 18, 2019 9:47 pm

CRS125 has that option "learn-limit" https://wiki.mikrotik.com/wiki/Manual:C ... t_Settings
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Limit number of MAC addresses per interface

Thu Sep 19, 2019 10:26 am

Since many routers do not use switch chip, but bridges instead, this solution my work:
:local if "ether1"
if ([:len [/interface bridge host find where on-interface=$if]] > 30) do={
  /interface ethernet set $if arp=disabled
} else={
  /interface ethernet set $if arp=enabled
}
PS not tested.
I think, this is not solution, because disabling arp on interface in bridge does not have any effect. But I haven't test it.
Last edited by 5nik on Thu Sep 19, 2019 10:34 am, edited 1 time in total.
 
5nik
Member Candidate
Member Candidate
Posts: 104
Joined: Thu Dec 08, 2011 3:15 am
Location: Czech Republic

Re: Limit number of MAC addresses per interface

Thu Sep 19, 2019 10:33 am

CRS125 has that option "learn-limit" https://wiki.mikrotik.com/wiki/Manual:C ... t_Settings
Thanks, this is what I need. Unfortunately, this option is only for CRS1xx/2xx series switches, newer series (CRS3xx) hasn't it. And it is not included generally in bridge options usable for all RB.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Limit number of MAC addresses per interface

Thu Sep 19, 2019 6:07 pm

CRS125 has that option "learn-limit" https://wiki.mikrotik.com/wiki/Manual:C ... t_Settings
Thanks, this is what I need. Unfortunately, this option is only for CRS1xx/2xx series switches, newer series (CRS3xx) hasn't it. And it is not included generally in bridge options usable for all RB.
many of us will miss the CRS 1xx/2xx switches, a lot more versatile and powerful than CRS3xx.

the sin and cause of limited success of CRS 1xx/2xx was their complex and unique way of configuring simple thinks like vlans, but the range of functionalities and versatility was magnificent

CRS3xx are a simpler switches, with less functionalities but simpler to configure, that make them much more popular and successful.

Maybe in a future when mikrotik manages to penetrate the switching market more significantly there is a space for a separate line of switches with advanced features like CRS1xx/2xx

CRS 1xx/2xx were too good to be an introductory product

There is no doubt CRS 3xx are more much successful than CRS1xx/2xx making a name for mikrotik in entry level manageable switching market
 
marekm
Member
Member
Posts: 379
Joined: Tue Feb 01, 2011 11:27 pm

Re: Limit number of MAC addresses per interface

Sat May 30, 2020 8:52 pm

But https://wiki.mikrotik.com/wiki/SwOS/CRS3xx says Port Lock + Lock On First can be used under SwOS, so the hardware is capable of it - just RouterOS doesn't support it (yet).

Who is online

Users browsing this forum: Ahrefs [Bot], Nospam, syslog and 105 guests