On Dec 3, 2019, at 3:34 AM, Richard Laager <rlaager@wiktel.com> wrote:
Enforcing a single MAC address is straightforward if the only thing plugged into the non-dedicated switch (on the "downstream" side) are routers. But what happens if hypothetically Wiktel and Paul Bunyan want to exchange an Ethernet circuit VLAN over the CNS switch? The CNS switch is going to see more than just our router MAC addresses. CNS can't limit us to one MAC on a per-port basis.
Juniper QFX and MX have options for limiting number of mac addresses per logical interface and/or VLAN. A quick scrub of other common vendors (Cisco, Arista) have the same. I wouldn’t see it as unreasonable to *require* a remote switch operator by whatever means necessary to enforce a one MAC address limit on their extension switch per logical participant handoff.