Avaya ERS 3500 Technical Configuration Manual page 8

port will require intervention by the network administrator.
2. Auto-Learning with MaxMacs
maximum enforced on the ports with MAC Security enabled. This mode works by permanently
enabling the Auto-Learning functionality on the ethernet ports and automatically recording every
new MAC address seen on the port. If a new MAC address is seen on the port and the number of
authorized MAC addresses on the port was already reached this will trigger a violation and the
packet arriving with the new MAC address will be discarded.
The number of allowed MAC addresses which can be defined on the ethernet ports can be set to
a value ranging between 1 and 25.
Note that this mode does not authorize any particular MAC address, it simply ensures
connectivity for the 1
list of recorded MAC addresses is a dynamic list which means entries can age out and do get
cleared against ports which are bounced (cable disconnected and re-connected) as well as
flushed when the switch is rebooted (MAC addresses learnt by Auto-Learning are not saved to
the config file). Hence if the switch is rebooted or ports are bounced, it is likely that a different set
of MAC addresses will be allowed on the port depending on the order in which these get learnt. In
summary, this mode may or may not be applicable depending on if you wish to allow or not allow
new MACs on a port upon a reboot or port bounce.
In this mode a device can easily move ports as its MAC address will automatically get re-learnt on
the new port by the Auto-Learning mode (just as happens for the regular MAC table / FDB).
3. Auto-Learning with Sticky-Mac
maximum number of allowed MACs are configured on the ethernet ports, except that now once a
MAC address is seen it is made "sticky" to the port where it was seen and automatically saved to
the config file.
Like the previous mode, if a new MAC address is seen on the port and the number of authorized
MAC addresses on the port was already reached this will trigger a violation and the packet
arriving with the new MAC address will be discarded.
Unlike the previous mode, there is no aging of the Sticky-MACs and once the number of allowed
MACs has been learnt on a port, those MAC addresses will be the only MAC addresses allowed
on that port even if the port is bounced or the switch is restarted. Also, unlike the previous mode,
devices cannot move from one ethernet port to another. In summary, the MAC is locked to the
original port and an intrusion event will be generated if the same MAC appears on another port. If
the network administrator wished the MAC address to be moved to another port, the address
must be deleted from the original port location. .
So this mode is essentially similar to the regular MAC Security mode in that it only allows access
to certain MAC addresses on the MAC Security enabled ports. It diverges from that mode in two
ways:
a. No initial provisioning is required when a new access port is to be used; the allowed
MACs will be Auto-Learned as the 1
b. It is not possible to use Security-Lists in this mode
In all 3 modes above, the packets with an offending source MAC will be discarded and will trigger a
violation. Upon a violation it is possible to define additional security actions. These can be specified as
any combination of the following actions:
•
No additional action
•
Generate a Trap
•
Partition the Port
November 2010
where the switch allows learned MAC addresses up to a specified
st
X (where X = 1..25) MAC addresses learnt on the port. Also note that the
which is just like the previous flavor, in that Auto-Learning and a
st
Avaya Inc. – Internal Distribution
device(s) is/are attached
avaya.com
8