Hi everyone!
Does VyOS have anything similar to Cisco’s port-security features? Namely being able to limit the number of hosts (mac addresses) off a particular interface?
I understand that this may be out of the scope of what VyOS was built for…considering this is a very L2 kind of a problem.
Any feedback would be awesome!
Thanks!
Hello,
sorry, but nothing like that built-in at this time.
Thank you for the quick response!
Is there another answer nowadays?
Thanks!
The separate elements to support it are present, but there’s no VyOS CLI that would allow it.
You can create a dynamic set for MAC addresses in nftables, and limit the set to a number like 2. When packets came in, the set would be filled by the first 2 MACs seen, this would be like a limit and sticky MAC in one. You could then match that set in a firewall policy.
Dynamic sets are in VyOS, as are MAC-Groups, but you can’t create a dynamic set with MACs.
Could be a useful feature request if you wanted to submit one.
If you know the MAC addresses of the hosts you want to allow talking, you can create a firewall filter only allowing those MACs. It just wouldn’t be dynamic like traditional portsec.
Also most of the port-security features are geared towards L2-switches rather than L3-routers and VyOS is mainly the later.
This doesnt mean that such features could be implemented since VyOS do support VLANs similar to how a L3-switch deals with this.