Allow only certain MAC to connect on a cnMatrix port

Hi. I have a cnMatrix EX2028-P switch running 4.3-r3 (I will be upgrading it soon). I am wondering if there is a way to permit only a certain MAC to connect to a specific port of the switch. More specifically, I have several XV2-21X access points connecting to the switch and I want to make sure that my users will not disconnect the access points from the wall plugs to connect their PCs.

Hi, we cannot prevent the user from physically disconnecting the access points from the wall plugs. However, you can prevent malicious users from accessing the network using our PBA feature. You can set up a PBA policy to detect the APs based on their OUI and assign the ports to the proper VLANs. In addition, you will need to create a default PBA policy to catch all other devices and put the ports into a guess/dummy VLAN. If you are interested in this solution, please raise a ticket and we can assist you with the configuration.

Hi TamN, thank you for the reply. Of course I do not expect that any switch would prevent the user from physically disconnecting the access points from the wall plugs. Also, it does not matter if the connected device is an access point, a PC, a printer or any other device connected using a patch cable. The question is whether there is a way to allow traffic on a switch port only for the MAC address I will define. If a MAC other than the one I define connects to that port, the switch should drop the traffic. Is setting up a PBA policy the only way to do it?

When I think about it in depth however, I do see certain issues:

  1. If there is a (simple) way to restrict only one MAC address to pass traffic through the switch port, anyone can clone the MAC address I will define so they can bypass this restriction

  2. Since my issue refers to an access point, if there is a way to define only the MAC address of the access point to permit traffic on the switch port, then the Wi-Fi clients connected on that access point will not be able to pass traffic since there MAC address will be accessible through that switch port as well!

I am curious however, if I can indeed use a simple MAC filter on the switch ports to restrict the MACs that can pass traffic. Something similar can be done for wi-fi networks, where you define the MAC addresses allowed to connect to wi-fi.

For the above case, I guess setting up a PBA policy per your suggestion may be the way to go.