Does VyOS have anything similar to Cisco’s port-security features? Namely being able to limit the number of hosts (mac addresses) off a particular interface?
I understand that this may be out of the scope of what VyOS was built for…considering this is a very L2 kind of a problem.
Any feedback would be awesome!
The separate elements to support it are present, but there’s no VyOS CLI that would allow it.
You can create a dynamic set for MAC addresses in nftables, and limit the set to a number like 2. When packets came in, the set would be filled by the first 2 MACs seen, this would be like a limit and sticky MAC in one. You could then match that set in a firewall policy.
Dynamic sets are in VyOS, as are MAC-Groups, but you can’t create a dynamic set with MACs.
Could be a useful feature request if you wanted to submit one.
If you know the MAC addresses of the hosts you want to allow talking, you can create a firewall filter only allowing those MACs. It just wouldn’t be dynamic like traditional portsec.