Scenario: You’re handing over a server to someone else to administer, but you retain control of the network. You want to prevent them from changing the server’s IP address, adding extra IPs, or bypassing your network rules — also give management without giving them VPN access to your management subnet.
Stack used: RouterOS 7.x (CCR2004), Cisco Nexus 3172PQ (NX-OS)
Table of Contents
- MikroTik — Static ARP Binding
- MikroTik — Firewall MAC Lock
- MikroTik — DNAT for BMC/iDRAC Access
- Cisco Nexus — Identifying Ports
- Cisco Nexus — Adding Port Descriptions
- Cisco Nexus — Enabling Port Security
- Cisco Nexus — Configuring Port Security
- Cisco Nexus — Verifying and Saving
- Attack Surface Summary
1. MikroTik — Static ARP Binding
A static ARP entry tells the router that a specific IP must belong to a specific MAC address. The router will ignore any ARP announcement trying to remap that MAC to a different IP.
/ip arp
add address=84.54.49.39 interface=bridgeMain mac-address=90:5A:08:3C:F2:7Faddress— the IP you want to permanently bindinterface— the bridge or interface the server is reachable onmac-address— the server’s NIC MAC address
Even if the server sends a gratuitous ARP claiming a different IP, the router won’t update its table. The MAC owns that IP, period.
2. MikroTik — Firewall MAC Lock
The static ARP entry handles the router’s own table, but we also need to drop forwarded traffic from that MAC if it arrives with any source IP other than the one we assigned. This covers the case where someone sets the NIC to a static IP manually.
/ip firewall filter
add chain=forward \
src-mac-address=90:5A:08:3C:F2:7F \
src-address=!84.54.49.39 \
action=drop \
comment="NODE - lock to 84.54.49.39"
add chain=input \
src-mac-address=90:5A:08:3C:F2:7F \
src-address=!84.54.49.39 \
action=drop \
comment="NODE - lock to 84.54.49.39 (input)"Important: Place these rules before any accept established/related rules in your chain. New connections must pass through the full chain top-to-bottom — if a wrong-IP SYN is dropped here, no established session ever forms.
chain=forward— covers traffic passing through the router (server talking to the internet or other hosts)chain=input— covers traffic destined for the router itselfsrc-address=!84.54.49.39— the!means “anything except this address”
3. MikroTik — DNAT for BMC/iDRAC Access
To reach the server’s out-of-band management interface (iDRAC, IPMI, iLO etc.) without giving the user VPN access to your management subnet, DNAT a high port on the server’s public IP to the internal BMC address.
DNAT (Destination NAT) changes the destination of incoming traffic — external IP:port gets redirected to an internal host. SNAT/Masquerade changes the source address so internal hosts appear as a public IP on the way out. You need DNAT here; SNAT is already handled by your existing masquerade rule.
/ip firewall nat
add chain=dstnat \
dst-address=84.54.49.39 \
dst-port=65443 \
protocol=tcp \
src-address=<your-admin-ip> \
action=dst-nat \
to-addresses=10.23.201.9 \
to-ports=443 \
comment="NODE - BMC access via public IP"dst-address— the server’s public IPdst-port— a non-standard port you pick (65443 in this example)src-address— restrict this to your own admin IP — you do not want the BMC login page exposed to the worldto-addresses— the internal BMC/iDRAC IP on the management subnetto-ports— the BMC’s actual HTTPS port (443)
The return path works automatically because of the existing masquerade rule covering the management subnet:
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.23.201.0/24Note: This DNAT rule is tied to the public IP. If the user somehow changes the server’s IP (they’ll lose connectivity due to the MAC lock anyway), you’d need to update the DNAT rule too.
4. Cisco Nexus — Identifying Ports
Before configuring anything on the switch, identify which physical port your server is plugged into.
View all ports and their status
show interface statusThis shows every port, its description (if set), link state, VLAN, speed, and transceiver type.
Find a MAC address in the forwarding table
show mac address-tableTo filter for a specific MAC:
show mac address-table | grep f27fExample output:
* 10 905a.083c.f27f dynamic 0 F F Ethernet1/11This tells you MAC 905a.083c.f27f was learned on Eth1/11, VLAN 10.
Note: If a NIC has never transmitted traffic (administratively DOWN or just unplugged), it will not appear in the MAC table. Trace cables physically in that case.
5. Cisco Nexus — Adding Port Descriptions
Always add descriptions so you know what’s connected without having to look up MACs again.
conf t
interface Eth1/11
description AMD-NODE4D-main-905a.083c.f27f
! Second NIC physically connected but not in use:
interface Eth1/10
description AMD-NODE4D-enp1s0f0-UNUSED
shutdown
endIncluding the MAC in the description saves you from cross-referencing tables in the future. Shutting down unused connected ports at the switch level eliminates them as an attack vector entirely — the server cannot bring them up or spoof MACs through them.
6. Cisco Nexus — Enabling Port Security
Port security is not enabled by default on NX-OS. You must enable it globally before any interface-level commands will work:
conf t
feature port-securityIf you skip this and go straight to the interface, you’ll get:
% Invalid command at '^' marker.7. Cisco Nexus — Configuring Port Security
With the feature enabled, configure the target port:
interface Eth1/11
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 905a.083c.f27f
switchport port-security violation restrict| Command | What it does |
|---|---|
switchport port-security |
Enables port security on this interface |
maximum 1 |
Only one MAC address allowed on this port |
mac-address 905a.083c.f27f |
Statically locks this MAC as the only permitted one |
violation restrict |
Drop frames from foreign MACs and increment violation counter — but do not shut the port down |
Why restrict and not shutdown? With shutdown, a reboot or brief NIC anomaly that sends a different MAC could take the port offline, requiring manual no shutdown to recover. With restrict the legitimate MAC keeps working and you get alerted via the violation counter.
8. Cisco Nexus — Verifying and Saving
Before saving, verify everything looks correct:
! Check port security status and counters
show port-security interface Eth1/11
! Check the secured MAC address table
show port-security address interface Eth1/11
! Full running config for this interface
show running-config interface Eth1/11
! All secured ports on the switch at a glance
show port-securityExpected output from show port-security interface Eth1/11:
Configured Port Security : Enabled
Opertional Port Security : Enabled
Port Status : Secure UP
Violation Mode : Restrict
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Security violation count : 0Note: maximum 1 may not appear explicitly in show running-config — this is normal on NX-OS, it’s the default and confirmed by the counters above.
When everything looks correct, save:
copy running-config startup-config9. Attack Surface Summary
| Threat | Stopped by |
|---|---|
| User sets static IP manually (wrong IP) | MikroTik firewall MAC+IP drop rule |
| User adds a secondary IP alias on same NIC | MikroTik firewall MAC+IP drop rule |
| User ARP-spoofs a different IP | MikroTik static ARP entry |
| User tries to use second NIC | Nexus port shutdown (administratively down) |
| User MAC-spoofs on the active port | Nexus port security (only allowed MAC passes) |
| User spins up VM/container with new MAC | Nexus port security (foreign MAC dropped at L2) |
| BMC/iDRAC exposed to the internet | DNAT restricted to admin src-address only |
Enforcement layers in order
[Server NIC]
→ Nexus port security (L2 — MAC enforcement, first line)
→ MikroTik static ARP (L3 — IP/MAC binding)
→ MikroTik firewall (L3 — src-mac + src-ip drop)
→ InternetThe Nexus is the strongest layer because it operates at L2 before any IP processing. A user who figures out the MikroTik rules and attempts MAC spoofing is stopped at the switch port before packets ever reach the router.
What this does NOT stop
- Someone with physical access to the switch or router
- Someone who can modify the switch/router config directly — protect your network device credentials
- IPv6 SLAAC addresses — add equivalent
ipv6 firewall filterrules on MikroTik if needed
IPv6 is a problem for another day, but for a start something like:
/ipv6 firewall filter
add chain=forward \
src-mac-address=90:5A:08:3C:F2:7F \
src-address=!2a14:4280:1:1::/64 \
action=drop \
comment="NODE1 - lock to /64" \
place-before=0
add chain=input \
src-mac-address=90:5A:08:3C:F2:7F \
src-address=!2a14:4280:1:1::/64 \
action=drop \
comment="NODE1 - lock to /64 (input)" \
place-before=0
will Lock MAC to ONE IPv6 subnet – but just to be sure, for IPv6 MITM / Block Rogue Route Advertising too:
/ipv6 firewall filter
add chain=forward \
src-mac-address=90:5A:08:3C:F2:7F \
protocol=icmpv6 \
icmp-options=134 \
action=drop \
comment="BLOCK rogue RA"
What this enforces
From that MAC:
| Action | Result |
|---|---|
| Uses SLAAC inside your /64 | ✅ allowed |
| Adds another IP in same /64 | ✅ allowed |
| Adds IP from different /64 | ❌ dropped |
| Tries to route another subnet | ❌ dropped |
| Spoofs other prefix | ❌ dropped |