Avaya ERS 3500 Technical Configuration Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Network Router
  5. ERS 3500 Series
  6. Technical configuration manual

Avaya ERS 3500 Technical Configuration Manual

Mac address based security
Hide thumbs Also See for ERS 3500:
Table of Contents

Advertisement

Quick Links

See also: Manual
Ethernet Routing Switch
• ERS 2500
• ERS 3500
• ERS 4500/ 4800
• ERS 5500/ 5600
Virtual Services Platform
• VSP 7000
Engineering
> MAC Address Based Security
Technical Configuration Guide
Avaya Data Solutions
Document Date: July 2012
Document Number: NN48500-601
Document Version: 2.1

Advertisement

Table of Contents
loading

Related Manuals for Avaya ERS 3500

Summary of Contents for Avaya ERS 3500

  • Page 1 Ethernet Routing Switch • ERS 2500 • ERS 3500 • ERS 4500/ 4800 • ERS 5500/ 5600 Virtual Services Platform • VSP 7000 Engineering > MAC Address Based Security Technical Configuration Guide Avaya Data Solutions Document Date: July 2012 Document Number: NN48500-601...
  • Page 2 Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/...
  • Page 3 Remarks 1 Aug 2008 V. Ganjian Initial draft document release 22 Nov 2010 K. Marshall Rebranded Avaya September 2012 L. Stevens Complete re-write 24 Sept 2012 L. Stevens Incorporated review changes from JVE Avaya Inc. – Internal Distribution November 2010...

  • Page 4: Table Of Contents

    Ensuring that every access port is used by one and only one device ........74 Auto-Learning with Sticky-MAC example.................... 86 MAC Security without having to pre-provision ports when new devices added ......86 Avaya Inc. – Internal Distribution November 2010...

  • Page 5: Figures

    Figure 22: Example 6; unauthorized MAC moving to a different port ............106 Tables Table 1: MAC Security support across Avaya switch family types ............... 7 Table 2: MAC Security capability vs. mode matrix..................10 Table 3: MAC Security config commands vs. mode matrix ................ 11 Avaya Inc.
  • Page 6 Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Avaya devices are displayed in a Lucida Console font: ERS5520-48T# show sys-info Operation Mode:...

  • Page 7: Introduction

    10.2.0 SW MAC Security port lock-out enhancement Table 1: MAC Security support across Avaya switch family types This document will focus on the full capabilities of the MAC Security feature regardless of stackable switch family type (i.e. assuming a software release greater or equal to the last one shown in the list above).
  • Page 8 Upon a violation it is possible to define additional security actions. These can be specified as any combination of the following actions: • No additional action • Generate a Trap • Partition the Port Avaya Inc. – Internal Distribution November 2010...
  • Page 9 Yes (with Security Yes (with Security Yes (with Security from receiving VLAN traffic Action set to Partition) Action set to Partition) Action set to Partition) Limit the number of devices allowed to use an ethernet Avaya Inc. – Internal Distribution November 2010...

  • Page 10: Table 2: Mac Security Capability Vs. Mode Matrix

    Yes (using a Security- move across a specified List) range of MAC Security enabled ports List of authorized MACs is saved to config and preserved upon switch restart Table 2: MAC Security capability vs. mode matrix Avaya Inc. – Internal Distribution November 2010...

  • Page 11: Table 3: Mac Security Config Commands Vs. Mode Matrix

    802.1X supplicant. Although not explored as part of this configuration guide, NEAP is another option for authenticating connecting devices based on MAC Address. Avaya Inc. – Internal Distribution November 2010...

  • Page 12: Base Configuration Setup

    All the examples covered use the same base configuration setup shown in the following figure. Figure 1: Base setup For simplicity the Avaya ERS Switch is configured as a simple access layer 2 switch with no IP routing. A separate IP router acts as default gateway for the end stations. However the same configuration examples covered in this document would also work in configurations where the Avaya ERS Switch is acting as an IP router.

  • Page 13: Ensuring Mac Security Can Never Accidentally Be Enabled On Uplinks

    Using ACLI Enable Port lock-out for MLT uplink ports 23-24 Avaya-ERS-Switch(config)# interface FastEthernet 23-24 Avaya-ERS-Switch(config-if)# mac-security lock-out Avaya-ERS-Switch(config-if)# exit Checking Port lock-out for MLT uplink ports 23-24 Avaya-ERS-Switch# show mac-security port 23-24 Port Trunk Security Auto-Learning MAC Number Security Locked-out...
  • Page 14 2.1.2 Using EDM Enable Port lock-out for MLT uplink ports 23-24 Avaya Inc. – Internal Distribution November 2010...

  • Page 15: Disabling Snmp Write Access Just For Mac Security Configuration

    Now it will no longer be possible to modify MAC-Security from EDM (via COM); any attempt to do so will result in an error; however the MAC Security configuration can still be viewed from COM. Avaya Inc. – Internal Distribution November 2010...
  • Page 16 MAC Security configuration. Web access on the switch would in any case need to be disabled for security reasons. Disable web access (HTTP & HTTPS) to the switch (EDM on-box) Avaya-ERS-Switch(config)# web-server disable Avaya Inc. – Internal Distribution November 2010...

  • Page 17: Regular Mac Security Examples

    On older software versions you can enable traps upon violation; in more recent software versions the traps are automatically generated and this command no longer exists Avaya-ERS-Switch(config)# mac-security snmp-trap 3.1.1.2 Provisioning authorized users Avaya Inc. – Internal Distribution November 2010...
  • Page 18 Assign authorized MACs to respective access ports Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-0F-B5-08-2F-BB port 1 Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-0F-B5-08-32-9F port 2 Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-C0-95-C8-FF-12 port 3 Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-C0-95-C8-9A-62 port 4 3.1.1.3 Checking MAC Security operational status...
  • Page 19 00-C0-95-C8-9A-62 Static Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 5 MAC Address Type Source...
  • Page 20 00-C0-95-C8-9A-62 30 Dynamic Port: 4 00-C0-95-C8-FF-12 30 Dynamic Port: 3 00-E0-16-57-6E-81 30 Dynamic Trunk:1 3.1.2 Using EDM 3.1.2.1 Initial Switch configuration Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
  • Page 21 Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
  • Page 22 3.1.2.2 Provisioning authorized users Assign authorized MACs to respective access ports Avaya Inc. – Internal Distribution November 2010...
  • Page 23 Avaya Inc. – Internal Distribution November 2010...
  • Page 24 3.1.2.3 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports Avaya Inc. – Internal Distribution November 2010...
  • Page 25 Verifying user connectivity Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 30.0.0.2 is alive 30.0.0.3 is alive 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...

  • Page 26: Figure 3: Example 1; Unauthorized Mac On Non-Provisioned Port

    Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message ---- ----------------------------- ---- --- ------- 00:05:53:48 Link Up Trap for Port: 5 00:05:53:52 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 5 00:05:53:52 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 27 Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...

  • Page 28: Figure 4: Example 1; Unauthorized Mac On Provisioned Port

    Type Time Src Message ---- ----------------------------- ---- --- ------- 00:06:12:15 Link Down Trap for Port: 1 00:06:12:17 Link Up Trap for Port: 1 00:06:12:21 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 00:06:12:21 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 29 Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...

  • Page 30: Figure 5: Example 1; Unauthorized Mac Sharing Connection With Authorized Mac

    Type Time Src Message ---- ----------------------------- ---- --- ------- 00:06:24:58 Link Down Trap for Port: 1 00:06:25:01 Link Up Trap for Port: 1 00:06:25:05 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 00:06:25:05 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 31 30.0.0.122 is alive no answer from 30.0.0.144  Tip – If the network administrator prefers to disable the ethernet port 1 in this scenario, it is sufficient to configure port partitioning security action upon violation. Avaya Inc. – Internal Distribution November 2010...

  • Page 32: Figure 6: Example 1; Unauthorized Mac Moving To A Different Port

    Link Up Trap for Port: 1 00:06:37:49 Link Up Trap for Port: 2 00:06:37:53 Bay Secure intruder MAC 00-0f-b5-08-2f-bb port 2 00:06:37:53 Trap: s5EtrNewSbsMacAccessViolation 00:06:37:55 Bay Secure intruder MAC 00-0f-b5-08-32-9f port 1 00:06:37:55 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 33 Note that the authorized devices cannot communicate on the wrong ethernet port Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 no answer from 30.0.0.2 no answer from 30.0.0.3 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...

  • Page 34: Ensuring That No New Unauthorized Device (Mac) Is Added To The Network

    Note – There is an alternative syntax for enabling learning on the port interfaces:  Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security learning Avaya-ERS-Switch(config-if)# exit Verify that MAC Security learning mode is enabled Avaya-ERS-Switch#% show mac-security config MAC Address Security: Enabled MAC Address Security SNMP-Locked: Disabled Avaya Inc. – Internal Distribution November 2010...
  • Page 35 Once satisfied that all MACs have been recorded, we can proceed to lock these down and activate MAC Security on the access ports. Disable MAC security learning mode Avaya-ERS-Switch(config)# mac-security learning disable Enable MAC Security on the access ports Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit Avaya Inc. – Internal Distribution November 2010...
  • Page 36 Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Avaya Inc. – Internal Distribution November 2010...
  • Page 37 00-C0-95-C8-FF-12 Static Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 4 MAC Address Type Source...
  • Page 38 3.2.2 Using EDM 3.2.2.1 Initial Switch configuration Globally enable MAC Security Enable learning on the access ports Avaya Inc. – Internal Distribution November 2010...
  • Page 39 View recorded MACs so far Once satisfied that all MACs have been recorded, we can proceed to lock these down and activate MAC Security on the access ports. Disable MAC security learning mode Avaya Inc. – Internal Distribution November 2010...
  • Page 40 Note – There is no need to clear the ports under PortLearnStatus; after reverting SecurityMode back to macList all ports under PortLearnStatus will be cleared anyway Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
  • Page 41 3.2.2.2 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports Verify the authorized MAC addresses appear in the MAC Security MAC table Avaya Inc. – Internal Distribution November 2010...
  • Page 42 ! Model = Ethernet Routing Switch 4826GTS-PWR+ ! Software version = v5.6.1.053 ! Displaying only parameters different to default !================================================ enable configure terminal [...] ! *** MAC-Based Security *** interface FastEthernet ALL mac-security port 1-20 enable Avaya Inc. – Internal Distribution November 2010...

  • Page 43: Figure 8: Example 2; A New Device Is Added To The Network

    Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message ---- ----------------------------- ---- --- ------- 01:01:07:23 Link Up Trap for Port: 4 01:01:07:28 Bay Secure intruder MAC 00-c0-95-c8-9a-62 port 4 01:01:07:28 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 44 Wait for the new MAC to be learnt on port 4 Avaya-ERS-Switch(config)# show mac-security mac-address-table Number of addresses: 4 Unit Port Allowed MAC Address Type ---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Static 00-0F-B5-08-32-9F Static 00-C0-95-C8-FF-12 Static 00-C0-95-C8-9A-62 Static Avaya Inc. – Internal Distribution November 2010...
  • Page 45 Re-enable MAC security on port 4 Avaya-ERS-Switch(config)# interface FastEthernet 4 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit The new user is now securely added to the network. 3.2.4.2 Using EDM Temporarily disable MAC security on port 4 Avaya Inc. – Internal Distribution November 2010...
  • Page 46 Wait for the new MAC to be learnt on port 4  Warning – Ensure that only 1 MAC address and the correct MAC address has been learnt against port 4. We can now proceed to re-enable MAC Security on port 4 Avaya Inc. – Internal Distribution November 2010...
  • Page 47 Disable MAC Security learning mode  Note – There is no need to clear the ports under PortLearnStatus; after reverting SecurityMode back to macList all ports under PortLearnStatus will be cleared anyway Avaya Inc. – Internal Distribution November 2010...
  • Page 48 Re-enable MAC security on port 4 The new user is now securely added to the network. 3.2.4.3 Checking connectivity Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.122 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...

  • Page 49: Using Mac Security To Tie Down Server Macs Using Active/Standby Nics

    3.3.1 Using ACLI 3.3.1.1 Initial Switch configuration Create the Security Lists (one for each server) Avaya-ERS-Switch(config)# mac-security security-list 1 7-8 Avaya-ERS-Switch(config)# mac-security security-list 2 9-10  Note – Up to 32 Security Lists can be created. Globally enable MAC Security...
  • Page 50 Security List 2: 9-10 Security List 3: NONE Security List 4: NONE Security List 5: NONE Security List 6: NONE Security List 7: NONE Security List 8: NONE Security List 9: NONE Security List 10: NONE Avaya Inc. – Internal Distribution November 2010...
  • Page 51 Avaya-ERS-Switch# show mac-security port Port Trunk Security Auto-Learning MAC Number ---- ----- -------- ------------- ---------- Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Avaya Inc. – Internal Distribution November 2010...
  • Page 52 Type ------------- ------------------- --------- 00-C0-95-C8-9A-62 Static 00-C0-95-C8-FF-12 Static Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3 MAC Address Type Source ----------------- ---- ------- -------...
  • Page 53 30 Dynamic Trunk:1  Note – From the FDB we can easily see which port has the Active NIC connected. 3.3.2 Using EDM 3.3.2.1 Initial Switch configuration Create the Security Lists (one for each server) Avaya Inc. – Internal Distribution November 2010...
  • Page 54  Note – Up to 32 Security Lists can be created. Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
  • Page 55 Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
  • Page 56 3.3.2.2 Provisioning authorized servers Assign authorized MACs to respective security lists Avaya Inc. – Internal Distribution November 2010...
  • Page 57 Avaya Inc. – Internal Distribution November 2010...
  • Page 58 3.3.2.3 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports Verify the MAC Security Lists Avaya Inc. – Internal Distribution November 2010...
  • Page 59 Note – From the FDB we can easily see which port has the Active NIC connected. 3.3.3 Verifying server connectivity Verify IP connectivity between the Router and the servers Router#% ping 30.0.0.121; ping 30.0.0.122 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...

  • Page 60: Figure 10: Example 3; Servers Switch Over To Backup Nic

    Verify IP connectivity between the Router and the servers Router#% ping 30.0.0.121; ping 30.0.0.122 30.0.0.121 is alive 30.0.0.122 is alive Verify the FDB on the switch Avaya-ERS-Switch#% show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3 MAC Address...

  • Page 61: Figure 11: Example 3; Unauthorized Device Takes Server Standby Nic Connection

    Type Time Src Message ---- ----------------------------- ---- --- ------- 01:05:54:13 Link Down Trap for Port: 8 01:05:54:17 Link Up Trap for Port: 8 01:05:54:21 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 8 01:05:54:21 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 62 Verify traps on Management station (e.g. VPFM or COM) Avaya Inc. – Internal Distribution November 2010...

  • Page 63: Achieving Mac Based Vlans Using Mac Security

    3.4 Achieving MAC based VLANs using MAC Security The Avaya modular ERS8800 and VSP9000 products support MAC based VLANs but the Avaya stackable range does not. This example demonstrates how MAC Security can be used to achieve the same functionality as MAC based VLANs on the stackable product ranges.
  • Page 64 ---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Static 00-0F-B5-08-32-9F Static 00-C0-95-C8-FF-12 Static 00-C0-95-C8-9A-62 Static Security List Allowed MAC Address Type ------------- ------------------- ---------  Note – The MACs have been learnt against the ethernet ports. Avaya Inc. – Internal Distribution November 2010...
  • Page 65 In a text editor, replace all occurrences of “port 1-10” with “security-list 1” & “port 11-20” with “security-list 2” File maclist.txt before: configure terminal mac-security mac-address-table address 00.0f.b5.08.2f.bb port 1 mac-security mac-address-table address 00.0f.b5.08.32.9f port 2 mac-security mac-address-table address 00.c0.95.c8.ff.12 port 11 mac-security mac-address-table address 00.c0.95.c8.9a.62 port 12 Avaya Inc. – Internal Distribution November 2010...
  • Page 66 MAC addresses auto-learned on ports will not be deleted Copy the maclist.txt file onto a TFTP server and inject it to the switch Avaya-ERS-Switch# configure network address 47.162.221.2 filename maclist.txt Downloading Config File [|]Downloaded file successfully, executing . . .
  • Page 67 Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Avaya Inc. – Internal Distribution November 2010...
  • Page 68 Static 00-0F-B5-08-32-9F Static 00-C0-95-C8-9A-62 Static 00-C0-95-C8-FF-12 Static Verify the FDB on the switch Avaya-ERS-Switch#% show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3 MAC Address Type Source ----------------- ---- ------- -------...
  • Page 69 40.0.0.121 is alive 40.0.0.122 is alive Move the end-station to alternative ports in the same VLAN Verify the FDB on the switch Avaya-ERS-Switch#% show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3...

  • Page 70: Figure 13: Example 4; Unauthorized Mac

    VLAN 30; if this is undesired the MAC Security should be configured to partition the port upon an access violation. Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message Avaya Inc. – Internal Distribution November 2010...
  • Page 71 01:07:21:46 Link Up Trap for Port: 5 01:07:21:51 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 5 01:07:21:51 Trap: s5EtrNewSbsMacAccessViolation Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...

  • Page 72: Figure 14: Example 4; Authorized Macs In Wrong Vlan

    Link Down Trap for Port: 13 01:07:25:37 Link Up Trap for Port: 1 01:07:25:42 Bay Secure intruder MAC 00-c0-95-c8-ff-12 port 1 01:07:25:42 Trap: s5EtrNewSbsMacAccessViolation 01:07:26:51 Bay Secure intruder MAC 00-0f-b5-08-32-9f port 12 01:07:26:51 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 73 Verify IP connectivity between the Router and the end stations again Router#% ping 30.0.0.2; ping 40.0.0.3; ping 30.0.0.121; ping 40.0.0.122 30.0.0.2 is alive no answer from 40.0.0.3 no answer from 30.0.0.121 40.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...

  • Page 74: Auto-Learning With Maxmacs Example

    MAC learnt on the port. Therefore in this example we will configure the ports to partition upon a MAC security violation. 4.1.1 Using ACLI 4.1.1.1 Initial Switch configuration Globally enable MAC Security Avaya-ERS-Switch(config)# mac-security enable Avaya Inc. – Internal Distribution November 2010...
  • Page 75 Enable Auto-Learning, MacMac=1 and MAC Security on the access ports Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security auto-learning enable max-addrs 1 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit Enable permanent partition of the port upon security violation Avaya-ERS-Switch# mac-security intrusion-detect forever ...
  • Page 76 Type ---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Automatic 00-0F-B5-08-32-9F Automatic 00-C0-95-C8-FF-12 Automatic 00-C0-95-C8-9A-62 Automatic Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Avaya Inc. – Internal Distribution November 2010...
  • Page 77 30 Dynamic Port: 1 00-0F-B5-08-32-9F 30 Dynamic Port: 2 00-C0-95-C8-9A-62 30 Dynamic Port: 4 00-C0-95-C8-FF-12 30 Dynamic Port: 3 00-E0-16-57-6E-81 30 Dynamic Trunk:1 4.1.2 Using EDM 4.1.2.1 Initial Switch configuration Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
  • Page 78 Enable Auto-Learning & MacMac=1 on access ports Avaya Inc. – Internal Distribution November 2010...
  • Page 79 Enable MAC Security on the access ports Enable permanent partition of the port upon security violation Avaya Inc. – Internal Distribution November 2010...
  • Page 80 4.1.2.2 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports and with Security Action set to partitionPort Avaya Inc. – Internal Distribution November 2010...
  • Page 81 Verify that Auto-Learn is enabled on the access ports and that MacMax is set to 1 Avaya Inc. – Internal Distribution November 2010...
  • Page 82 Verifying user connectivity Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 30.0.0.2 is alive 30.0.0.3 is alive 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...

  • Page 83: Figure 16: Example 5; An Unauthorized Hub/Switch Is Connected To The Network

    Link Up Trap for Port: 1 16:01:57:12 Bay Secure: Exceeded 1 per-port MAC addresses on port 0/1 16:01:57:12 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 16:01:57:12 Link Down Trap for Port: 1 16:01:57:12 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...

  • Page 84: Figure 17: Example 5; An Unauthorized Wlan Ap Is Connected To The Network

    Port 5 is partitioned. Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message ---- ----------------------------- ---- --- ------- 16:02:04:50 Link Up Trap for Port: 5 16:02:05:14 Bay Secure: Exceeded 1 per-port MAC Avaya Inc. – Internal Distribution November 2010...
  • Page 85 0/5 16:02:05:14 Bay Secure intruder MAC 00-16-6f-49-0f-16 port 5 16:02:05:14 Link Down Trap for Port: 5 16:02:05:14 Trap: s5EtrNewSbsMacAccessViolation Verify traps on Management station (e.g. VPFM or COM) Avaya Inc. – Internal Distribution November 2010...

  • Page 86: Auto-Learning With Sticky-Mac Example

    Enable Auto-Learning Sticky-MAC mode Avaya-ERS-Switch(config)# mac-security auto-learning sticky Enable Auto-Learning, MacMac=1 and MAC Security on the access ports Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security auto-learning enable max-addrs 1 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit Avaya Inc. – Internal Distribution November 2010...
  • Page 87  Warning – Avaya recommends that autosave is disabled when sticky mac is enabled. Otherwise the switch will be constantly saving the configuration when learning new MAC addresses in the MAC Security table. If autosave is disabled it is important to remember to manually save the config prior to any switch restart.
  • Page 88 00-C0-95-C8-FF-12 Sticky Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 4 MAC Address Type Source...
  • Page 89 00-C0-95-C8-FF-12 30 Dynamic Port: 3 00-E0-16-57-6E-81 30 Dynamic Trunk:1 5.1.2 Using EDM 5.1.2.1 Initial Switch configuration Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
  • Page 90 Enable Auto-Learning Sticky-MAC mode Avaya Inc. – Internal Distribution November 2010...
  • Page 91 Enable Auto-Learning & MacMac=1 on access ports Avaya Inc. – Internal Distribution November 2010...
  • Page 92 Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
  • Page 93 5.1.2.2 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports, Sticky-MAC mode enabled and Security Action set to trap Avaya Inc. – Internal Distribution November 2010...
  • Page 94 Verify that Auto-Learn is enabled on the access ports and that MacMax is set to 1 Avaya Inc. – Internal Distribution November 2010...
  • Page 95 Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121 30.0.0.2 is alive 30.0.0.3 is alive 30.0.0.121 is alive Verify the resulting switch config Avaya-ERS-Switch# show running-config Avaya Inc. – Internal Distribution November 2010...
  • Page 96 16 max-addrs 1 mac-security auto-learning port 17 max-addrs 1 mac-security auto-learning port 18 max-addrs 1 mac-security auto-learning port 19 max-addrs 1 mac-security auto-learning port 20 max-addrs 1 exit mac-security enable mac-security auto-learning sticky Avaya Inc. – Internal Distribution November 2010...

  • Page 97: Figure 19: Example 6; A New Device Is Added To The Network

    Verify the MAC Security MAC table; make sure the MAC of the new device on port 4 is added to the list Avaya-ERS-Switch# show mac-security mac-address-table Number of addresses: 4 Unit Port Allowed MAC Address Type ---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Sticky 00-0F-B5-08-32-9F Sticky 00-C0-95-C8-FF-12 Sticky 00-C0-95-C8-9A-62 Sticky Avaya Inc. – Internal Distribution November 2010...
  • Page 98 Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 5 MAC Address Type Source ----------------- ---- ------- -------...
  • Page 99 ! Model = Ethernet Routing Switch 4826GTS-PWR+ ! Software version = v5.6.1.053 ! Displaying only parameters different to default !================================================ enable configure terminal [...] ! *** MAC-Based Security *** interface FastEthernet ALL mac-security port 1-20 enable Avaya Inc. – Internal Distribution November 2010...
  • Page 100 Note – If AutoSave is disabled on the switch (which is recommended with MAC Security Auto-  Learning and Sticky-MAC) then the network administrator must ensure that the config is saved before rebooting the switch (otherwise newly added Sticky MACs will be lost over a reboot). Avaya Inc. – Internal Distribution November 2010...

  • Page 101: Figure 20: Example 6; Unauthorized Mac On Provisioned Port

    Link Down Trap for Port: 1 16:02:19:51 Link Up Trap for Port: 1 16:02:19:55 Bay Secure: Exceeded 1 per-port MAC addresses on port 0/1 16:02:19:55 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 16:02:19:55 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 102 Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...

  • Page 103: Figure 21: Example 6; Unauthorized Mac Sharing Connection With Authorized Mac

    Link Down Trap for Port: 1 16:02:24:30 Link Up Trap for Port: 1 16:02:24:41 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 16:02:24:41 Trap: s5EtrNewSbsMacAccessViolation Verify traps on Management station (e.g. VPFM or COM) Avaya Inc. – Internal Distribution November 2010...
  • Page 104 30.0.0.122 is alive no answer from 30.0.0.144  Tip – If the network administrator prefers to disable the ethernet port 1 in this scenario, it is sufficient to configure port partitioning security action upon violation. Avaya Inc. – Internal Distribution November 2010...
  • Page 105 Avaya Inc. – Internal Distribution November 2010...

  • Page 106: Figure 22: Example 6; Unauthorized Mac Moving To A Different Port

    1 address is Locked on port 2 16:02:29:00 Trap: s5EtrNewSbsMacAccessViolation 16:02:29:05 Bay Secure: Exceeded 1 per-port MAC addresses on port 0/2 16:02:29:05 Bay Secure intruder MAC 00-0f-b5-08-2f-bb port 2 address is Locked on port 1 16:02:29:05 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
  • Page 107 Note that the authorized devices cannot communicate on the wrong ethernet port Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 no answer from 30.0.0.2 no answer from 30.0.0.3 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...
  • Page 108 © 2012 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by ®, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.

This manual is also suitable for:

Ers 2500Ers 4800Ers 4500Vsp 7000Ers 5600Ers 5500

Table of Contents