MAC-security dilema

[MLoredo]

Hi everyone, I work in a healthcare environment and we have an Avaya 5698 providing data connectivity to pc's in our patient rooms.  Currently mac-security is enabled on the data ports in the patient rooms and we are wanting to wheel in a teleconference cart into the patient rooms and allow the teleconference to patch into the same data port the computer is in.  The end user would have to unpatch the pc and then patch in this teleconference cart.

In my test lab with the same 5698, I have tried setting it up where all the access ports have mac-security enabled and then allowing a second device to connect to all the access ports.  It is appearing that this will not be feasible but please let me know if there is something else I can try...

First time around, I enabled the following in global config: mac-security, mac-security auto-learning sticky,  intrusion-timer 0, and intrusion-detect enable. 
Then in the interface configuration, I enabled the following:  mac-security auto-learning enable, mac-security auto-learning max-address 2, and mac-security port X enable.  I continued on with patching in computer into port 1, then patched in teleconference cart into port 1.  After reviewing show mac-security mac-address I saw that both devices were learned, I attempted to patch in a third device and the port shut down as expected.  Great, that was what I was expecting to see.  I continue on to configure port 2 the same exact way, with auto-learning enabled and maximum of 2 mac addresses and mac-security enabled.  I plug in the third device into port 2.  I review the show mac-security mac-address-table and I see that the switch has learned the new mac address on port 2, all is well.  I then try to patch the teleconference cart into port 2 and the port shuts down.  Not good.  I check the logs and it shows that intruder MAC h.h.h port 2 address is locked on port 1.

So then I try doing away with auto-learning and go the static route.  From the interface configuration I disabled mac-security from ports 1 and 2 and I disabled auto-learning on ports 1 and 2.  I then went into the global configuration and started adding the mac-addresses statically.  For the first computer, mac-security mac-address-table address h.h.h port 1.  For the teleconference cart, mac-security mac-address-table address h.h.h port 1.  For the second computer, mac-security mac-address-table address h.h.h port 2 .  And again for the teleconference cart, mac-security mac-address-table address h.h.h port 2.  Except, I get an error when I try to statically allow the teleconference cart to port 2.  %Cannot modify settings %Cannot add the mac, duplicate address %Cannot assign mac address h.h.h to port 2.  Not good...

So these are the two ways I have tried it thus far.  Anyone out there have any more ideas on mac-security?

[Flintstone]

Hi MLoredo,

Have you considered using 802.1x?

CheerZ

[MLoredo]

802.1x would work for the computer in the patient room but I don't think the teleconference cart will support 802.1x

[Flintstone]

Avaya's solution covers both 802.1x and MAC address authentication.

CheerZ

[MLoredo]

Avaya's solution covers both 802.1x and MAC address authentication.

CheerZ

Yea, I knew that but I guess you didn't read my first post on what my dilemma is with mac-security.  lol 

[Flintstone]

Avaya's 802.1x and MAC address authentication does not use the switches mac-security.  This is disabled.  Avaya's Identity (Radius) server uses MAC address authentication as well as 802.1x, so you should be able to remove the PC and then plug in your Teleconference unit into the same port?

CheerZ

[MLoredo]

Avaya's 802.1x and MAC address authentication does not use the switches mac-security.  This is disabled.  Avaya's Identity (Radius) server uses MAC address authentication as well as 802.1x, so you should be able to remove the PC and then plug in your Teleconference unit into the same port?

CheerZ

I see what your saying.  Mac-security does NOT equal MAC address authentication.

I will read up on it, thanks!

[MLoredo]

Here's my answer!

"You can use MAC address security lists to create a list of authorized MAC addresses that are allowed to connect to any port associated with that list. This is very helpful if a user moves his/her device between ports the device will still be authorized since the MAC address is not tied to a physical port but rather a list which is then associated with a set of ports."

http://blog.michaelfmcnamara.com/2011/11/ethernet-routing-switch-mac-address-security/

I will follow up with my findings after setting this up in my test lab.

[Michael McNamara]

Just be warned that there is a physical limit to the number of MAC addresses that can be added to the switch. So you can't just create a campus wide MAC list of say 2000 devices and then load that list into every switch.

Good Luck!

[MLoredo]

Just be warned that there is a physical limit to the number of MAC addresses that can be added to the switch. So you can't just create a campus wide MAC list of say 2000 devices and then load that list into every switch.

Good Luck!

The maximum of 448 mac addresses is more than enough.  Thanks for the input.

[TankII]

You can also configure the video conferencing device as a VOIP endpoint and use ADAC to put the endpoint in the Voice VLAN.
That's what we plan to so very soon, probably before we deploy 802.1X everywhere.
Also in a Healthcare environment.

TankII

[MLoredo]

Ok, so here's what I ended up doing for my configuration.  Remember, we want the PC's in the patient rooms and the teleconference cart that goes in and out of the patient rooms to be the only mac addresses to be allowed to connect to the avaya switch.

#######################
#Configuring mac address security to allow only one mac address that is learned by the port. Auto-learning sticky will enable the storing of automatically-learned #mac addresses across switch reboots. Intrusion detection is enabled to partition (disable) the port when a violation is encountered. Intrusion-timer is set to 0 so that #a manual reset of the port is required in order to re-enable the port. 
#######################

configure terminal
mac-security enable
no autosave enable
mac-security auto-learning sticky
mac-security intrusion-timer 0
mac-security intrusion-detect enable

interface fastethernet 1-24
mac-security auto-learning port 1-24 enable
mac-security auto-learning port 1-24 max-addrs 1
mac-security port 1-24 enable

#######################
#Creating the security list of authorized mac address that is allowed to connect to any port associated to this list.
#######################

configure terminal
mac-security security-list 1 add 1-24
mac-security mac-address-table address h.h.h security list 1



Using the commands listed above, I was able to successfully test mac-security with one pc on assigned port and the teleconference cart with the ability to move the teleconference cart between ports that were associated with the security list.

[Flintstone]

Great

Thanks for sharing