• November 29, 2020, 05:04:23 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: 4550 Mac Security & Avaya VOIP Phones  (Read 4887 times)

0 Members and 1 Guest are viewing this topic.

Offline nonenone45

  • Rookie
  • **
  • Posts: 5
4550 Mac Security & Avaya VOIP Phones
« on: July 31, 2013, 07:28:59 AM »
Here is the ongoing problem I've been having with 4550 Mac Security & Avaya VOIP Phones:

When trying to limit the ports to 2 MAC addresses(PC & phone), random user ports will use an extra 1 to 2 mac addresses (1 PC Data VLAN, 1 Phone Data VLAN, 1 Phone Voice VLAN, 1 Unknown). Setting the limit to 5 mac addresses will solve the problem, but with 5 allowed mac's what's the point to having mac security?

Have tried latest code with the 4550 & Avaya support has no clue on this. After researching the issue here, found these 2 links:

https://forums.networkinfrastructure.info/nortel-ethernet-switching/mac-security-on-4550t/msg1537/#msg1537

https://forums.networkinfrastructure.info/nortel-ethernet-switching/mac-security-problem-nortelavaya-2526-series/msg2792/#msg2792

So, after this background, has anyone found the solution for this? Is this "expected" Avaya behavior?
Been thinking of trying to Avaya 5500 series or even Cisco switches to get this feature working.

The underlying problem is preventing programmers from bringing in home switches/hubs and creating network loops past the 4550 access switches back to the core 8600 - STP and BPDUFilter are both enabled but the loop still kills their entire VLAN, verified by the 8600 logs. Don't really want the headache of NAC, but may have to implement if nothing else will work.

Many thanks for any suggestions and for Michael McNamara for maintaining this site, it has saved me many hours of troubleshooting Avaya gear.





Offline Flintstone

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 961
Re: 4550 Mac Security & Avaya VOIP Phones
« Reply #1 on: July 31, 2013, 07:44:55 AM »
Hi nonenone45,

In my previous job we used Avaya's 802.1x solution and I believe this will be the solution to your problems?

CheerZ

Offline MatzeKS

  • Sr. Member
  • ****
  • Posts: 311
    • matzeks
    • Controlware GmbH - Germany
Re: 4550 Mac Security & Avaya VOIP Phones
« Reply #2 on: July 31, 2013, 07:52:55 AM »
You can test AVAYA Identity Engines 30 days for free:

http://www.avaya.com/usa/free-software-trial-ap/identity-engines-portfolio

Good luck
------------------------------------------------------
ACE-Fx #00050

Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3842
    • michaelfmcnamara
    • Michael McNamara
Re: 4550 Mac Security & Avaya VOIP Phones
« Reply #3 on: July 31, 2013, 09:25:59 AM »
While it's not an answer to your question, my response is directed toward your ultimate problem.

You should be able to use Spanning Tree, BPDU filtering and rate-limiting to keep any loop localized.

Are you saying with those three enabled you are still able to put a loop into the switch/network?

If so then something is wrong somewhere.

Cheers!
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!

Offline nonenone45

  • Rookie
  • **
  • Posts: 5
Re: 4550 Mac Security & Avaya VOIP Phones
« Reply #4 on: July 31, 2013, 09:53:27 AM »
Here is the diagram:

4550 Switch Floor 2 ----->
                                 
4550 Switch Floor 3  ---->   4550 Switch Floor 1 --->  8600

4550 Switch Floor 4 ----->

The 8600 shuts down the link to floor 1(and 2-3) with a log message of excessive multi-cast frames. STP and BPDU filtering are enabled on all ports, rate-limiting is not configured. Floor 3 is the suspected problem area for users installing hubs and STP will disable ports at times, letting me find and remove the hubs. Every so often, the problem moves past floor 3 and floor 1 and the 8600 will shutdown the port to the entire building, causing everyone major headaches. NAC is probably off the table due to time/budget issues, but I was hoping mac-security would solve. Open to any suggestions, thanks for the advice!

Offline TankII

  • Hero Member
  • *****
  • Posts: 556
Re: 4550 Mac Security & Avaya VOIP Phones
« Reply #5 on: August 01, 2013, 05:28:39 PM »
SLPP/SLPP-Guard is your friend.  It will block the switch port even when Spanning-Tree doesn't.  Then the 8600 port doesn't get blocked.

TankII

Offline Michael McNamara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3842
    • michaelfmcnamara
    • Michael McNamara
Re: 4550 Mac Security & Avaya VOIP Phones
« Reply #6 on: August 13, 2013, 09:09:42 AM »
Here is the diagram:

4550 Switch Floor 2 ----->
                                 
4550 Switch Floor 3  ---->   4550 Switch Floor 1 --->  8600

4550 Switch Floor 4 ----->

The 8600 shuts down the link to floor 1(and 2-3) with a log message of excessive multi-cast frames. STP and BPDU filtering are enabled on all ports, rate-limiting is not configured. Floor 3 is the suspected problem area for users installing hubs and STP will disable ports at times, letting me find and remove the hubs. Every so often, the problem moves past floor 3 and floor 1 and the 8600 will shutdown the port to the entire building, causing everyone major headaches. NAC is probably off the table due to time/budget issues, but I was hoping mac-security would solve. Open to any suggestions, thanks for the advice!

You need to tune the CP-LIMIT values on the ERS 8600... the ERS 8600 is shutting down the uplinks to try and save the network. In these cases the edge/closet switches are probably not configured properly. The loop should never reach the core, you should verify that you have STP (FastStart), BPDU filtering and rate-limiting enabled on ALL your edge ports.

I'm willing to guess that you don't have those enabled on ALL your ports, hence your problems are reaching the core.

Good Luck!
We've been helping network engineers, system administrators and technology professionals since June 2009.
If you've found this site useful or helpful, please help me spread the word. Link to us in your blog or homepage - Thanks!