Page 1
Ethernet Routing Switch • ERS 2500 • ERS 3500 • ERS 4500/ 4800 • ERS 5500/ 5600 Virtual Services Platform • VSP 7000 Engineering > MAC Address Based Security Technical Configuration Guide Avaya Data Solutions Document Date: July 2012 Document Number: NN48500-601...
Page 2
Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/...
Page 3
Remarks 1 Aug 2008 V. Ganjian Initial draft document release 22 Nov 2010 K. Marshall Rebranded Avaya September 2012 L. Stevens Complete re-write 24 Sept 2012 L. Stevens Incorporated review changes from JVE Avaya Inc. – Internal Distribution November 2010...
Ensuring that every access port is used by one and only one device ........74 Auto-Learning with Sticky-MAC example.................... 86 MAC Security without having to pre-provision ports when new devices added ......86 Avaya Inc. – Internal Distribution November 2010...
Figure 22: Example 6; unauthorized MAC moving to a different port ............106 Tables Table 1: MAC Security support across Avaya switch family types ............... 7 Table 2: MAC Security capability vs. mode matrix..................10 Table 3: MAC Security config commands vs. mode matrix ................ 11 Avaya Inc.
Page 6
Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Avaya devices are displayed in a Lucida Console font: ERS5520-48T# show sys-info Operation Mode:...
10.2.0 SW MAC Security port lock-out enhancement Table 1: MAC Security support across Avaya switch family types This document will focus on the full capabilities of the MAC Security feature regardless of stackable switch family type (i.e. assuming a software release greater or equal to the last one shown in the list above).
Page 8
Upon a violation it is possible to define additional security actions. These can be specified as any combination of the following actions: • No additional action • Generate a Trap • Partition the Port Avaya Inc. – Internal Distribution November 2010...
Page 9
Yes (with Security Yes (with Security Yes (with Security from receiving VLAN traffic Action set to Partition) Action set to Partition) Action set to Partition) Limit the number of devices allowed to use an ethernet Avaya Inc. – Internal Distribution November 2010...
Yes (using a Security- move across a specified List) range of MAC Security enabled ports List of authorized MACs is saved to config and preserved upon switch restart Table 2: MAC Security capability vs. mode matrix Avaya Inc. – Internal Distribution November 2010...
802.1X supplicant. Although not explored as part of this configuration guide, NEAP is another option for authenticating connecting devices based on MAC Address. Avaya Inc. – Internal Distribution November 2010...
All the examples covered use the same base configuration setup shown in the following figure. Figure 1: Base setup For simplicity the Avaya ERS Switch is configured as a simple access layer 2 switch with no IP routing. A separate IP router acts as default gateway for the end stations. However the same configuration examples covered in this document would also work in configurations where the Avaya ERS Switch is acting as an IP router.
Using ACLI Enable Port lock-out for MLT uplink ports 23-24 Avaya-ERS-Switch(config)# interface FastEthernet 23-24 Avaya-ERS-Switch(config-if)# mac-security lock-out Avaya-ERS-Switch(config-if)# exit Checking Port lock-out for MLT uplink ports 23-24 Avaya-ERS-Switch# show mac-security port 23-24 Port Trunk Security Auto-Learning MAC Number Security Locked-out...
Page 14
2.1.2 Using EDM Enable Port lock-out for MLT uplink ports 23-24 Avaya Inc. – Internal Distribution November 2010...
Now it will no longer be possible to modify MAC-Security from EDM (via COM); any attempt to do so will result in an error; however the MAC Security configuration can still be viewed from COM. Avaya Inc. – Internal Distribution November 2010...
Page 16
MAC Security configuration. Web access on the switch would in any case need to be disabled for security reasons. Disable web access (HTTP & HTTPS) to the switch (EDM on-box) Avaya-ERS-Switch(config)# web-server disable Avaya Inc. – Internal Distribution November 2010...
On older software versions you can enable traps upon violation; in more recent software versions the traps are automatically generated and this command no longer exists Avaya-ERS-Switch(config)# mac-security snmp-trap 3.1.1.2 Provisioning authorized users Avaya Inc. – Internal Distribution November 2010...
Page 18
Assign authorized MACs to respective access ports Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-0F-B5-08-2F-BB port 1 Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-0F-B5-08-32-9F port 2 Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-C0-95-C8-FF-12 port 3 Avaya-ERS-Switch(config)# mac-security mac-address-table address 00-C0-95-C8-9A-62 port 4 3.1.1.3 Checking MAC Security operational status...
Page 19
00-C0-95-C8-9A-62 Static Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 5 MAC Address Type Source...
Page 20
00-C0-95-C8-9A-62 30 Dynamic Port: 4 00-C0-95-C8-FF-12 30 Dynamic Port: 3 00-E0-16-57-6E-81 30 Dynamic Trunk:1 3.1.2 Using EDM 3.1.2.1 Initial Switch configuration Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
Page 21
Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
Page 22
3.1.2.2 Provisioning authorized users Assign authorized MACs to respective access ports Avaya Inc. – Internal Distribution November 2010...
Page 23
Avaya Inc. – Internal Distribution November 2010...
Page 24
3.1.2.3 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports Avaya Inc. – Internal Distribution November 2010...
Page 25
Verifying user connectivity Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 30.0.0.2 is alive 30.0.0.3 is alive 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...
Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message ---- ----------------------------- ---- --- ------- 00:05:53:48 Link Up Trap for Port: 5 00:05:53:52 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 5 00:05:53:52 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 27
Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...
Type Time Src Message ---- ----------------------------- ---- --- ------- 00:06:12:15 Link Down Trap for Port: 1 00:06:12:17 Link Up Trap for Port: 1 00:06:12:21 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 00:06:12:21 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 29
Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...
Type Time Src Message ---- ----------------------------- ---- --- ------- 00:06:24:58 Link Down Trap for Port: 1 00:06:25:01 Link Up Trap for Port: 1 00:06:25:05 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 00:06:25:05 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 31
30.0.0.122 is alive no answer from 30.0.0.144 Tip – If the network administrator prefers to disable the ethernet port 1 in this scenario, it is sufficient to configure port partitioning security action upon violation. Avaya Inc. – Internal Distribution November 2010...
Link Up Trap for Port: 1 00:06:37:49 Link Up Trap for Port: 2 00:06:37:53 Bay Secure intruder MAC 00-0f-b5-08-2f-bb port 2 00:06:37:53 Trap: s5EtrNewSbsMacAccessViolation 00:06:37:55 Bay Secure intruder MAC 00-0f-b5-08-32-9f port 1 00:06:37:55 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 33
Note that the authorized devices cannot communicate on the wrong ethernet port Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 no answer from 30.0.0.2 no answer from 30.0.0.3 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...
Note – There is an alternative syntax for enabling learning on the port interfaces: Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security learning Avaya-ERS-Switch(config-if)# exit Verify that MAC Security learning mode is enabled Avaya-ERS-Switch#% show mac-security config MAC Address Security: Enabled MAC Address Security SNMP-Locked: Disabled Avaya Inc. – Internal Distribution November 2010...
Page 35
Once satisfied that all MACs have been recorded, we can proceed to lock these down and activate MAC Security on the access ports. Disable MAC security learning mode Avaya-ERS-Switch(config)# mac-security learning disable Enable MAC Security on the access ports Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit Avaya Inc. – Internal Distribution November 2010...
Page 37
00-C0-95-C8-FF-12 Static Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 4 MAC Address Type Source...
Page 38
3.2.2 Using EDM 3.2.2.1 Initial Switch configuration Globally enable MAC Security Enable learning on the access ports Avaya Inc. – Internal Distribution November 2010...
Page 39
View recorded MACs so far Once satisfied that all MACs have been recorded, we can proceed to lock these down and activate MAC Security on the access ports. Disable MAC security learning mode Avaya Inc. – Internal Distribution November 2010...
Page 40
Note – There is no need to clear the ports under PortLearnStatus; after reverting SecurityMode back to macList all ports under PortLearnStatus will be cleared anyway Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
Page 41
3.2.2.2 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports Verify the authorized MAC addresses appear in the MAC Security MAC table Avaya Inc. – Internal Distribution November 2010...
Page 42
! Model = Ethernet Routing Switch 4826GTS-PWR+ ! Software version = v5.6.1.053 ! Displaying only parameters different to default !================================================ enable configure terminal [...] ! *** MAC-Based Security *** interface FastEthernet ALL mac-security port 1-20 enable Avaya Inc. – Internal Distribution November 2010...
Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message ---- ----------------------------- ---- --- ------- 01:01:07:23 Link Up Trap for Port: 4 01:01:07:28 Bay Secure intruder MAC 00-c0-95-c8-9a-62 port 4 01:01:07:28 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 44
Wait for the new MAC to be learnt on port 4 Avaya-ERS-Switch(config)# show mac-security mac-address-table Number of addresses: 4 Unit Port Allowed MAC Address Type ---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Static 00-0F-B5-08-32-9F Static 00-C0-95-C8-FF-12 Static 00-C0-95-C8-9A-62 Static Avaya Inc. – Internal Distribution November 2010...
Page 45
Re-enable MAC security on port 4 Avaya-ERS-Switch(config)# interface FastEthernet 4 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit The new user is now securely added to the network. 3.2.4.2 Using EDM Temporarily disable MAC security on port 4 Avaya Inc. – Internal Distribution November 2010...
Page 46
Wait for the new MAC to be learnt on port 4 Warning – Ensure that only 1 MAC address and the correct MAC address has been learnt against port 4. We can now proceed to re-enable MAC Security on port 4 Avaya Inc. – Internal Distribution November 2010...
Page 47
Disable MAC Security learning mode Note – There is no need to clear the ports under PortLearnStatus; after reverting SecurityMode back to macList all ports under PortLearnStatus will be cleared anyway Avaya Inc. – Internal Distribution November 2010...
Page 48
Re-enable MAC security on port 4 The new user is now securely added to the network. 3.2.4.3 Checking connectivity Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.122 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...
3.3.1 Using ACLI 3.3.1.1 Initial Switch configuration Create the Security Lists (one for each server) Avaya-ERS-Switch(config)# mac-security security-list 1 7-8 Avaya-ERS-Switch(config)# mac-security security-list 2 9-10 Note – Up to 32 Security Lists can be created. Globally enable MAC Security...
Page 50
Security List 2: 9-10 Security List 3: NONE Security List 4: NONE Security List 5: NONE Security List 6: NONE Security List 7: NONE Security List 8: NONE Security List 9: NONE Security List 10: NONE Avaya Inc. – Internal Distribution November 2010...
Page 51
Avaya-ERS-Switch# show mac-security port Port Trunk Security Auto-Learning MAC Number ---- ----- -------- ------------- ---------- Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled Avaya Inc. – Internal Distribution November 2010...
Page 52
Type ------------- ------------------- --------- 00-C0-95-C8-9A-62 Static 00-C0-95-C8-FF-12 Static Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3 MAC Address Type Source ----------------- ---- ------- -------...
Page 53
30 Dynamic Trunk:1 Note – From the FDB we can easily see which port has the Active NIC connected. 3.3.2 Using EDM 3.3.2.1 Initial Switch configuration Create the Security Lists (one for each server) Avaya Inc. – Internal Distribution November 2010...
Page 54
Note – Up to 32 Security Lists can be created. Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
Page 55
Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
Page 56
3.3.2.2 Provisioning authorized servers Assign authorized MACs to respective security lists Avaya Inc. – Internal Distribution November 2010...
Page 57
Avaya Inc. – Internal Distribution November 2010...
Page 58
3.3.2.3 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports Verify the MAC Security Lists Avaya Inc. – Internal Distribution November 2010...
Page 59
Note – From the FDB we can easily see which port has the Active NIC connected. 3.3.3 Verifying server connectivity Verify IP connectivity between the Router and the servers Router#% ping 30.0.0.121; ping 30.0.0.122 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...
Verify IP connectivity between the Router and the servers Router#% ping 30.0.0.121; ping 30.0.0.122 30.0.0.121 is alive 30.0.0.122 is alive Verify the FDB on the switch Avaya-ERS-Switch#% show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3 MAC Address...
Type Time Src Message ---- ----------------------------- ---- --- ------- 01:05:54:13 Link Down Trap for Port: 8 01:05:54:17 Link Up Trap for Port: 8 01:05:54:21 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 8 01:05:54:21 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 62
Verify traps on Management station (e.g. VPFM or COM) Avaya Inc. – Internal Distribution November 2010...
3.4 Achieving MAC based VLANs using MAC Security The Avaya modular ERS8800 and VSP9000 products support MAC based VLANs but the Avaya stackable range does not. This example demonstrates how MAC Security can be used to achieve the same functionality as MAC based VLANs on the stackable product ranges.
Page 64
---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Static 00-0F-B5-08-32-9F Static 00-C0-95-C8-FF-12 Static 00-C0-95-C8-9A-62 Static Security List Allowed MAC Address Type ------------- ------------------- --------- Note – The MACs have been learnt against the ethernet ports. Avaya Inc. – Internal Distribution November 2010...
Page 65
In a text editor, replace all occurrences of “port 1-10” with “security-list 1” & “port 11-20” with “security-list 2” File maclist.txt before: configure terminal mac-security mac-address-table address 00.0f.b5.08.2f.bb port 1 mac-security mac-address-table address 00.0f.b5.08.32.9f port 2 mac-security mac-address-table address 00.c0.95.c8.ff.12 port 11 mac-security mac-address-table address 00.c0.95.c8.9a.62 port 12 Avaya Inc. – Internal Distribution November 2010...
Page 66
MAC addresses auto-learned on ports will not be deleted Copy the maclist.txt file onto a TFTP server and inject it to the switch Avaya-ERS-Switch# configure network address 47.162.221.2 filename maclist.txt Downloading Config File [|]Downloaded file successfully, executing . . .
Page 68
Static 00-0F-B5-08-32-9F Static 00-C0-95-C8-9A-62 Static 00-C0-95-C8-FF-12 Static Verify the FDB on the switch Avaya-ERS-Switch#% show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3 MAC Address Type Source ----------------- ---- ------- -------...
Page 69
40.0.0.121 is alive 40.0.0.122 is alive Move the end-station to alternative ports in the same VLAN Verify the FDB on the switch Avaya-ERS-Switch#% show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 3...
VLAN 30; if this is undesired the MAC Security should be configured to partition the port upon an access violation. Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message Avaya Inc. – Internal Distribution November 2010...
Page 71
01:07:21:46 Link Up Trap for Port: 5 01:07:21:51 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 5 01:07:21:51 Trap: s5EtrNewSbsMacAccessViolation Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...
Link Down Trap for Port: 13 01:07:25:37 Link Up Trap for Port: 1 01:07:25:42 Bay Secure intruder MAC 00-c0-95-c8-ff-12 port 1 01:07:25:42 Trap: s5EtrNewSbsMacAccessViolation 01:07:26:51 Bay Secure intruder MAC 00-0f-b5-08-32-9f port 12 01:07:26:51 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 73
Verify IP connectivity between the Router and the end stations again Router#% ping 30.0.0.2; ping 40.0.0.3; ping 30.0.0.121; ping 40.0.0.122 30.0.0.2 is alive no answer from 40.0.0.3 no answer from 30.0.0.121 40.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...
MAC learnt on the port. Therefore in this example we will configure the ports to partition upon a MAC security violation. 4.1.1 Using ACLI 4.1.1.1 Initial Switch configuration Globally enable MAC Security Avaya-ERS-Switch(config)# mac-security enable Avaya Inc. – Internal Distribution November 2010...
Page 75
Enable Auto-Learning, MacMac=1 and MAC Security on the access ports Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security auto-learning enable max-addrs 1 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit Enable permanent partition of the port upon security violation Avaya-ERS-Switch# mac-security intrusion-detect forever ...
Page 76
Type ---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Automatic 00-0F-B5-08-32-9F Automatic 00-C0-95-C8-FF-12 Automatic 00-C0-95-C8-9A-62 Automatic Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Avaya Inc. – Internal Distribution November 2010...
Page 77
30 Dynamic Port: 1 00-0F-B5-08-32-9F 30 Dynamic Port: 2 00-C0-95-C8-9A-62 30 Dynamic Port: 4 00-C0-95-C8-FF-12 30 Dynamic Port: 3 00-E0-16-57-6E-81 30 Dynamic Trunk:1 4.1.2 Using EDM 4.1.2.1 Initial Switch configuration Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
Page 78
Enable Auto-Learning & MacMac=1 on access ports Avaya Inc. – Internal Distribution November 2010...
Page 79
Enable MAC Security on the access ports Enable permanent partition of the port upon security violation Avaya Inc. – Internal Distribution November 2010...
Page 80
4.1.2.2 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports and with Security Action set to partitionPort Avaya Inc. – Internal Distribution November 2010...
Page 81
Verify that Auto-Learn is enabled on the access ports and that MacMax is set to 1 Avaya Inc. – Internal Distribution November 2010...
Page 82
Verifying user connectivity Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 30.0.0.2 is alive 30.0.0.3 is alive 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...
Link Up Trap for Port: 1 16:01:57:12 Bay Secure: Exceeded 1 per-port MAC addresses on port 0/1 16:01:57:12 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 16:01:57:12 Link Down Trap for Port: 1 16:01:57:12 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Port 5 is partitioned. Verify log file on switch Avaya-ERS-Switch# show log Type Time Src Message ---- ----------------------------- ---- --- ------- 16:02:04:50 Link Up Trap for Port: 5 16:02:05:14 Bay Secure: Exceeded 1 per-port MAC Avaya Inc. – Internal Distribution November 2010...
Page 85
0/5 16:02:05:14 Bay Secure intruder MAC 00-16-6f-49-0f-16 port 5 16:02:05:14 Link Down Trap for Port: 5 16:02:05:14 Trap: s5EtrNewSbsMacAccessViolation Verify traps on Management station (e.g. VPFM or COM) Avaya Inc. – Internal Distribution November 2010...
Enable Auto-Learning Sticky-MAC mode Avaya-ERS-Switch(config)# mac-security auto-learning sticky Enable Auto-Learning, MacMac=1 and MAC Security on the access ports Avaya-ERS-Switch(config)# interface FastEthernet 1-20 Avaya-ERS-Switch(config-if)# mac-security auto-learning enable max-addrs 1 Avaya-ERS-Switch(config-if)# mac-security enable Avaya-ERS-Switch(config-if)# exit Avaya Inc. – Internal Distribution November 2010...
Page 87
Warning – Avaya recommends that autosave is disabled when sticky mac is enabled. Otherwise the switch will be constantly saving the configuration when learning new MAC addresses in the MAC Security table. If autosave is disabled it is important to remember to manually save the config prior to any switch restart.
Page 88
00-C0-95-C8-FF-12 Sticky Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 4 MAC Address Type Source...
Page 89
00-C0-95-C8-FF-12 30 Dynamic Port: 3 00-E0-16-57-6E-81 30 Dynamic Trunk:1 5.1.2 Using EDM 5.1.2.1 Initial Switch configuration Globally enable MAC Security Avaya Inc. – Internal Distribution November 2010...
Page 90
Enable Auto-Learning Sticky-MAC mode Avaya Inc. – Internal Distribution November 2010...
Page 91
Enable Auto-Learning & MacMac=1 on access ports Avaya Inc. – Internal Distribution November 2010...
Page 92
Enable MAC Security on the access ports Enable traps upon violation Avaya Inc. – Internal Distribution November 2010...
Page 93
5.1.2.2 Checking MAC Security operational status Verify that MAC Security is globally enabled and on access ports, Sticky-MAC mode enabled and Security Action set to trap Avaya Inc. – Internal Distribution November 2010...
Page 94
Verify that Auto-Learn is enabled on the access ports and that MacMax is set to 1 Avaya Inc. – Internal Distribution November 2010...
Page 95
Verify IP connectivity between the Router and the end stations Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121 30.0.0.2 is alive 30.0.0.3 is alive 30.0.0.121 is alive Verify the resulting switch config Avaya-ERS-Switch# show running-config Avaya Inc. – Internal Distribution November 2010...
Page 96
16 max-addrs 1 mac-security auto-learning port 17 max-addrs 1 mac-security auto-learning port 18 max-addrs 1 mac-security auto-learning port 19 max-addrs 1 mac-security auto-learning port 20 max-addrs 1 exit mac-security enable mac-security auto-learning sticky Avaya Inc. – Internal Distribution November 2010...
Verify the MAC Security MAC table; make sure the MAC of the new device on port 4 is added to the list Avaya-ERS-Switch# show mac-security mac-address-table Number of addresses: 4 Unit Port Allowed MAC Address Type ---- ---- ------------------- --------- 00-0F-B5-08-2F-BB Sticky 00-0F-B5-08-32-9F Sticky 00-C0-95-C8-FF-12 Sticky 00-C0-95-C8-9A-62 Sticky Avaya Inc. – Internal Distribution November 2010...
Page 98
Security List Allowed MAC Address Type ------------- ------------------- --------- Verify the FDB on the switch Avaya-ERS-Switch# show mac-address-table vid 30 Mac Address Table Aging Time: 300 Learning Enabled Ports 1-26 Number of addresses: 5 MAC Address Type Source ----------------- ---- ------- -------...
Page 99
! Model = Ethernet Routing Switch 4826GTS-PWR+ ! Software version = v5.6.1.053 ! Displaying only parameters different to default !================================================ enable configure terminal [...] ! *** MAC-Based Security *** interface FastEthernet ALL mac-security port 1-20 enable Avaya Inc. – Internal Distribution November 2010...
Page 100
Note – If AutoSave is disabled on the switch (which is recommended with MAC Security Auto- Learning and Sticky-MAC) then the network administrator must ensure that the config is saved before rebooting the switch (otherwise newly added Sticky MACs will be lost over a reboot). Avaya Inc. – Internal Distribution November 2010...
Link Down Trap for Port: 1 16:02:19:51 Link Up Trap for Port: 1 16:02:19:55 Bay Secure: Exceeded 1 per-port MAC addresses on port 0/1 16:02:19:55 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 16:02:19:55 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 102
Verify traps on Management station (e.g. VPFM or COM) Verify MAC Security violations from EDM Avaya Inc. – Internal Distribution November 2010...
Link Down Trap for Port: 1 16:02:24:30 Link Up Trap for Port: 1 16:02:24:41 Bay Secure intruder MAC 00-e0-4c-77-67-01 port 1 16:02:24:41 Trap: s5EtrNewSbsMacAccessViolation Verify traps on Management station (e.g. VPFM or COM) Avaya Inc. – Internal Distribution November 2010...
Page 104
30.0.0.122 is alive no answer from 30.0.0.144 Tip – If the network administrator prefers to disable the ethernet port 1 in this scenario, it is sufficient to configure port partitioning security action upon violation. Avaya Inc. – Internal Distribution November 2010...
Page 105
Avaya Inc. – Internal Distribution November 2010...
1 address is Locked on port 2 16:02:29:00 Trap: s5EtrNewSbsMacAccessViolation 16:02:29:05 Bay Secure: Exceeded 1 per-port MAC addresses on port 0/2 16:02:29:05 Bay Secure intruder MAC 00-0f-b5-08-2f-bb port 2 address is Locked on port 1 16:02:29:05 Trap: s5EtrNewSbsMacAccessViolation Avaya Inc. – Internal Distribution November 2010...
Page 107
Note that the authorized devices cannot communicate on the wrong ethernet port Router#% ping 30.0.0.2; ping 30.0.0.3; ping 30.0.0.121; ping 30.0.0.122 no answer from 30.0.0.2 no answer from 30.0.0.3 30.0.0.121 is alive 30.0.0.122 is alive Avaya Inc. – Internal Distribution November 2010...