RB2011UAS-2HnD with latest OS/fw.

Is it possible to set static mac address for a certain switch port so that no other host/mac is allowed - much like port security?

It doesn't seem to be possible to define a rule to drop any mac address under With host entry to drop mac 00:00:00:00:00:00 this doesn't seem to work as a new dynamic entry is added when a new host is plugged, so this automatically allows the newcomer.

Should be a fairly simple option?

use pppoe server on that port, without any other service/ip/config

Thanks for the fast response!

Uh this should be a switchport functionality so no CPU involved...

You neeed it to MANAGE or for data only from one device?

VLAN can be one option?

I edited the first post for more clarification...

I want to drop all incoming packets with MAC other than aaaa.bbbb.cccc just like port security on e.g. cisco switch works. Switchport functionality only.

"You" can make one script... schedule it on reasonable time.

supposing ether1 is the interface you want "block", switch1 the switch where port are linked, and aa:bb:cc:dd:ee:ff the only MAC you want accept:

not sure if its gonna work as intended, but you could try something like where 01:02:03:04:05:06 is the allowed MAC, and 2nd rule is last for the given port.

Same question as OP.

How can i set up a Cisco-like port security on MikroTik switch?
What i mean is allow only one mac on that port.

Hello, CRS1xx/2xx series switches support such feature:
https://wiki.mikrotik.com/wiki/Manual:C ... s_per_Port

re: Cisco-like port security

FYI
I don't want to scare anybody or post what we know - however ...

We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
- knock down the entire IP-Phone network
- hack into any vlan on the Cisco switch
- knock down any vlan network or knock down any device on any vlan
- Even with some basic MAC address security which limits to only a single MAC address, we can still get onto any network and have multiple computers injected into those networks.
- Inject our own DHCP server and have it take control of DHCP services
- Inject our own gateway on any vlan network
- Redirect devices on other vlans to use our gatway - and span monitor all traffic then
- find/scan for server vulnerabilities on any vlan

I'm not trying to be scary - I am however stating :
- network security is often overlooked or never checked
- all networks everywhere usually have some huge gaping security holes for bad guys to get through
- when it comes to "port security" , you really need to think out-of-the-box and think about how many ways and methods could the NSA use to get into your network.

Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)


Tom Jones

Hello, CRS1xx/2xx series switches support such feature:
https://wiki.mikrotik.com/wiki/Manual:C ... s_per_Port

Thank You!

re: Cisco-like port security

FYI
I don't want to scare anybody or post what we know - however ...

We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
- knock down the entire IP-Phone network
- hack into any vlan on the Cisco switch
- knock down any vlan network or knock down any device on any vlan
- Even with some basic MAC address security which limits to only a single MAC address, we can still get onto any network and have multiple computers injected into those networks.
- Inject our own DHCP server and have it take control of DHCP services
- Inject our own gateway on any vlan network
- Redirect devices on other vlans to use our gatway - and span monitor all traffic then
- find/scan for server vulnerabilities on any vlan

I'm not trying to be scary - I am however stating :
- network security is often overlooked or never checked
- all networks everywhere usually have some huge gaping security holes for bad guys to get through
- when it comes to "port security" , you really need to think out-of-the-box and think about how many ways and methods could the NSA use to get into your network.

Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)


Tom Jones

Would You care to elaborate any further?
Is this perhaps vtp related? Are static vlans affected?
Did You test the same thing on MikroTik? How did it go?

Hello, CRS1xx/2xx series switches support such feature:
https://wiki.mikrotik.com/wiki/Manual:C ... s_per_Port

Thank You!

re: Cisco-like port security

FYI
I don't want to scare anybody or post what we know - however ...

We have identified some network security holes on Cisco switches
Depending on your Cisco switch configuration
If we are at an IP-Phone, we are able to:
- knock down the entire IP-Phone network
- hack into any vlan on the Cisco switch
- knock down any vlan network or knock down any device on any vlan
- Even with some basic MAC address security which limits to only a single MAC address, we can still get onto any network and have multiple computers injected into those networks.
- Inject our own DHCP server and have it take control of DHCP services
- Inject our own gateway on any vlan network
- Redirect devices on other vlans to use our gatway - and span monitor all traffic then
- find/scan for server vulnerabilities on any vlan

I'm not trying to be scary - I am however stating :
- network security is often overlooked or never checked
- all networks everywhere usually have some huge gaping security holes for bad guys to get through
- when it comes to "port security" , you really need to think out-of-the-box and think about how many ways and methods could the NSA use to get into your network.

Another FYI - I kinda suspect the next big world-wide network security vulnerabilities will be CPU micro-code and CPU hidden Minix code . . . (AKA - did you know your CPU processors hava a built-in hidden CPU & operating system & web browser interface ?)


Tom Jones

Would You care to elaborate any further?
Is this perhaps vtp related? Are static vlans affected?
Did You test the same thing on MikroTik? How did it go?

Re: Would You care to elaborate any further?
Not much at this time. I am still looking for other vulnerabilities when on Cisco switches connected to VoIP phones.
FYI - this is not specifically a Cisco thing , it is a related to but not necessarily a VoIP thing and how things are configured

Re: Is this perhaps vtp related? Are static vlans affected?
Kinda (not vtp domain related) but Vlan related

Re: Did You test the same thing on MikroTik? How did it go?
I used a Cisco switch & PC & a Mikrotik something we all have access to and might already own

North Idaho Tom Jones