MAC authentication in Cisco ACI (or how to get the features you need)

You might be thinking the same that I did: why the heck do you need MAC authentication in a data center? However, I came across this requirement from a customer recently. For this customer this was really important.

Cisco ACI doesn’t offer any form of MAC authentication today. Furthermore, unfortunately this requirement is not very common in data centers, so what are the chances that Cisco will implement it? How to solve this problem?

Luckily, ACI is not like any other network: it is highly programmable. So how difficult programming this feature would be? I thought about the ACI Toolkit, a bunch of apps that use a simplified version of ACI’s object model. More specifically, I thought about the End-Point-Tracker application, a script that monitors all servers that connect and disconnect to/from the network, and inserts these movements in a database, so that you can track what your end hosts are doing. BTW, you can find it here:

So would it be possible modify this End Point Tracker so that instead of recording End Point movements in a database, it compares the MAC address of the End Point trying to connect to the network, and either allow or disallow that connection?

Of course! Even with my poor programming skills (what is obvious in the code), I could do that in a couple of nights. You can find the script in my GitHub repository: You can see what some lines of code can do: you can write the functionality you need into ACI yourself, without having to wait for Cisco to roll that feature that apparently you are the only one in the world in need of!

I recorded a quick demo, so that you can see the script in action here:

What other ideas do you have to code on top of ACI?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: