Wired Intelligent Edge

Hi,
what is best way to deny any of dumb switches like TP-Link being attached to port on A, E or CX series switches without locking port to one specific mac?
Is there a way to limit number of MAC addresses active on port ?
Thank you.

------------------------------
damima
------------------------------

Hi,

I suggest you check page 11 of the wired enforcement guide as it explains the various enforcement options to secure your wired infrastructure. These options are not specific to ClearPass although ClearPass can simplify the deployment. Usually we recommend to go for 802.1x where ever possible and enable less secure options as needed.

Yes, usually you can configure the switch to limit the number of mac addresses per port, but do you really want to do this? Will it be an appropriate and scalable solution from operations point of view?

------------------------------
Ayman Mukaddam
------------------------------

Original Message:
Sent: May 28, 2021 03:54 PM
From: Damir Imamovic
Subject: deny to dumb switches

Hi,
what is best way to deny any of dumb switches like TP-Link being attached to port on A, E or CX series switches without locking port to one specific mac?
Is there a way to limit number of MAC addresses active on port ?
Thank you.

------------------------------
damima
------------------------------

Yes, usually you can configure the switch to limit the number of mac addresses per port, but do you really want to do this? --> Yes, this is what I want but without actually fixing port to just specific mac address. I just want to allow number of mac addresses allowed on port. And it will be only 1 or 2 if I have VoIP phone in configuration. But user won't be able to plug in dumb switch.

------------------------------
damima
------------------------------

Original Message:
Sent: May 29, 2021 02:07 PM
From: Ayman Mukaddam
Subject: deny to dumb switches

Hi,

I suggest you check page 11 of the wired enforcement guide as it explains the various enforcement options to secure your wired infrastructure. These options are not specific to ClearPass although ClearPass can simplify the deployment. Usually we recommend to go for 802.1x where ever possible and enable less secure options as needed.

Yes, usually you can configure the switch to limit the number of mac addresses per port, but do you really want to do this? Will it be an appropriate and scalable solution from operations point of view?

------------------------------
Ayman Mukaddam

Original Message:
Sent: May 28, 2021 03:54 PM
From: Damir Imamovic
Subject: deny to dumb switches

Hi,
what is best way to deny any of dumb switches like TP-Link being attached to port on A, E or CX series switches without locking port to one specific mac?
Is there a way to limit number of MAC addresses active on port ?
Thank you.

------------------------------
damima
------------------------------

I believe they will. Users will be able to connect unmanaged switches...the restriction should produce its desired effects when they eventually start to connect on those "dumb" switches more devices than you permit...

------------------------------
Davide Poletto
------------------------------

Original Message:
Sent: May 29, 2021 05:59 PM
From: Damir Imamovic
Subject: deny to dumb switches

Yes, usually you can configure the switch to limit the number of mac addresses per port, but do you really want to do this? --> Yes, this is what I want but without actually fixing port to just specific mac address. I just want to allow number of mac addresses allowed on port. And it will be only 1 or 2 if I have VoIP phone in configuration. But user won't be able to plug in dumb switch.

------------------------------
damima

Original Message:
Sent: May 29, 2021 02:07 PM
From: Ayman Mukaddam
Subject: deny to dumb switches

Hi,

I suggest you check page 11 of the wired enforcement guide as it explains the various enforcement options to secure your wired infrastructure. These options are not specific to ClearPass although ClearPass can simplify the deployment. Usually we recommend to go for 802.1x where ever possible and enable less secure options as needed.

Yes, usually you can configure the switch to limit the number of mac addresses per port, but do you really want to do this? Will it be an appropriate and scalable solution from operations point of view?

------------------------------
Ayman Mukaddam

Original Message:
Sent: May 28, 2021 03:54 PM
From: Damir Imamovic
Subject: deny to dumb switches

Hi,
what is best way to deny any of dumb switches like TP-Link being attached to port on A, E or CX series switches without locking port to one specific mac?
Is there a way to limit number of MAC addresses active on port ?
Thank you.

------------------------------
damima
------------------------------

Any hints how to achieve this on Comware or ArubaOS?

------------------------------
damima
------------------------------

Original Message:
Sent: May 29, 2021 06:06 PM
From: Davide Poletto
Subject: deny to dumb switches

I believe they will. Users will be able to connect unmanaged switches...the restriction should produce its desired effects when they eventually start to connect on those "dumb" switches more devices than you permit...

------------------------------
Davide Poletto

Original Message:
Sent: May 29, 2021 05:59 PM
From: Damir Imamovic
Subject: deny to dumb switches

Yes, usually you can configure the switch to limit the number of mac addresses per port, but do you really want to do this? --> Yes, this is what I want but without actually fixing port to just specific mac address. I just want to allow number of mac addresses allowed on port. And it will be only 1 or 2 if I have VoIP phone in configuration. But user won't be able to plug in dumb switch.

------------------------------
damima

Original Message:
Sent: May 29, 2021 02:07 PM
From: Ayman Mukaddam
Subject: deny to dumb switches

Hi,

I suggest you check page 11 of the wired enforcement guide as it explains the various enforcement options to secure your wired infrastructure. These options are not specific to ClearPass although ClearPass can simplify the deployment. Usually we recommend to go for 802.1x where ever possible and enable less secure options as needed.

Yes, usually you can configure the switch to limit the number of mac addresses per port, but do you really want to do this? Will it be an appropriate and scalable solution from operations point of view?

------------------------------
Ayman Mukaddam

Original Message:
Sent: May 28, 2021 03:54 PM
From: Damir Imamovic
Subject: deny to dumb switches

Hi,
what is best way to deny any of dumb switches like TP-Link being attached to port on A, E or CX series switches without locking port to one specific mac?
Is there a way to limit number of MAC addresses active on port ?
Thank you.

------------------------------
damima
------------------------------