Auto-Learning With Maxmacs Example; Ensuring That Every Access Port Is Used By One And Only One Device; Figure 15: Auto-Learning With Maxmacs; Example 5 - Avaya ERS 3500 Technical Configuration Manual
Mac address based security
Hide thumbs
Also See for ERS 3500:
- Regulatory information (90 pages) ,
- Fundamentals (80 pages) ,
- Manual (60 pages)
Table of Contents
Advertisement
avaya.com
4. Auto-Learning with MaxMacs example
4.1 Ensuring that every access port is used by one
and only one device
In this example, the network administrator wants to ensure that user access ports of the network are
seeing one and only one device connected. This is a very effective way to detect and prevent users from
connecting additional devices to their network connection. For instance, this will immediately detect and
prevent a user from introducing a small ethernet hub/switch device on his network connection in an
attempt to add extra (unauthorized) devices to the network. Likewise, this will prevent users from
connecting a WLAN Access Point (AP) to their network connection, as the end result would be the same.
Figure 15: Auto-Learning with MaxMacs; example 5
Note that the device's MAC address is not essential here; it is simply recorded to ensure that no
additional MAC (and hence device) can be allowed on the same ethernet port.
Also note that without the Sticky-MAC feature (covered in the next example) MAC bindings in the security
table are not persistent across port bounces or switch reboots and can be aged out of the table. This
means that in this example it is possible for devices to physically move from one port to the other, even
on ports where a MAC had already been recorded. This is because to move those devices the ethernet
cable would have to be disconnected and then re-connected on a different port and hence any MAC
bindings on the receiving port would have been flushed when the port went down.
The only violation we will be detecting in this mode is multiple MACs on the same port and because we
cannot control the order in which those MAC addresses are learnt, it is not useful to rely on the default
MAC security violation behavior of denying access to just those MACs learnt later while allowing access
st
to the 1
MAC learnt on the port. Therefore in this example we will configure the ports to partition upon a
MAC security violation.
4.1.1
Using ACLI
4.1.1.1 Initial Switch configuration
Globally enable MAC Security
Avaya-ERS-Switch(config)# mac-security enable
Avaya Inc. – Internal Distribution
November 2010
74
Hide quick links:
Advertisement
Table of Contents
