avaya.com
3. Regular MAC Security examples
3.1 Controlling exactly which MAC is allowed to use
each and every access port
In this example, typically favored by the military, every access port is manually configured to allow 1 and
only 1 device (and hence MAC address). Before a new device can be added to the network the network
administrator must manually add the new MAC address to its allocated access ethernet port's authorized
MAC list. In the event of a non-authorized MAC address attempting to send traffic into the network a trap
will be sent to the management station and the unauthorized device will not be allowed to send traffic into
the network.
Figure 2: Regular MAC Security; example 1
3.1.1
Using ACLI
3.1.1.1 Initial Switch configuration
Globally enable MAC Security
Avaya-ERS-Switch(config)# mac-security enable
Enable MAC Security on the access ports
Avaya-ERS-Switch(config)# interface FastEthernet 1-20
Avaya-ERS-Switch(config-if)# mac-security enable
Avaya-ERS-Switch(config-if)# exit
On older software versions you can enable traps upon violation; in more recent software versions
the traps are automatically generated and this command no longer exists
Avaya-ERS-Switch(config)# mac-security snmp-trap
3.1.1.2 Provisioning authorized users
Avaya Inc. – Internal Distribution
November 2010
17