• October 20, 2020, 02:35:59 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: MAC Security - On Medium Network Problem  (Read 4059 times)

0 Members and 1 Guest are viewing this topic.

Offline SoNix

  • Rookie
  • **
  • Posts: 17
MAC Security - On Medium Network Problem
« on: January 14, 2015, 02:11:43 PM »
I have a question.
I try to setup, MAC Security on alls of my Edge Switches ( 4548-GT PWR ). (maybe 40 switches)
I have a Medium Large Network.

But, after reading the forum Michael mentionned to not use this solution for Medium network...

Problem : Since, i setuped this MAC Security, some of the network device lost connection, and became active (on/off). This make me think that the 448 MAX MAC address list is Full ;(

Under the TAB, MAC Security, there is an option Security Mode : | macList (the one i used) | AutoLearn.
Do i need to use AutoLearn, or it's a bad idea to use MAC Security.
I need to block user from installing Network Hub / Wireless Router...
Thanx!


Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
Re: MAC Security - On Medium Network Problem
« Reply #1 on: January 15, 2015, 01:44:28 AM »
Wich SW Version do you have on your ERS4500 switches ?

My first gues is that one of your Uplinks is configured for MAC security. Make sure that you have the MAC security disabled on all Uplink ports.

Are the on/off ports directly connected to your ERS4500 ?

As additional protection you can also enable DHCP Snooping wich blocks all not allowed DHCP Servers like wireless routers and BPDU Filtering.

Cheers
It´s always the networks fault!
networkautobahn.com

Offline SoNix

  • Rookie
  • **
  • Posts: 17
Re: MAC Security - On Medium Network Problem
« Reply #2 on: January 15, 2015, 07:20:31 AM »
Wich SW Version do you have on your ERS4500 switches ?

All my Switches are at release 5.7.0.009.

My first gues is that one of your Uplinks is configured for MAC security. Make sure that you have the MAC security disabled on all Uplink ports.

OKay, i will recheck my config... but i'm pretty sure, that i always exclude my MTL port (45-48).

Are the on/off ports directly connected to your ERS4500 ?

Yeah, every computer is directly connected to the switch, and i have some Ip Phone, (and some computer connected behind the ip phone).

As additional protection you can also enable DHCP Snooping wich blocks all not allowed DHCP Servers like wireless routers and BPDU Filtering.

Thank, i will check theses options too ;)


Here is a Sample of my Configs Right Now.
Code: [Select]
!
! *** MAC-Based Security ***
!

mac-security security-list 1 NONE
mac-security security-list 2 NONE
mac-security security-list 3 NONE
mac-security security-list 4 NONE
mac-security security-list 5 NONE
mac-security security-list 6 NONE
mac-security security-list 7 NONE
mac-security security-list 8 NONE
mac-security security-list 9 NONE
mac-security security-list 10 NONE
mac-security security-list 11 NONE
mac-security security-list 12 NONE
mac-security security-list 13 NONE
mac-security security-list 14 NONE
mac-security security-list 15 NONE
mac-security security-list 16 NONE
mac-security security-list 17 NONE
mac-security security-list 18 NONE
mac-security security-list 19 NONE
mac-security security-list 20 NONE
mac-security security-list 21 NONE
mac-security security-list 22 NONE
mac-security security-list 23 NONE
mac-security security-list 24 NONE
mac-security security-list 25 NONE
mac-security security-list 26 NONE
mac-security security-list 27 NONE
mac-security security-list 28 NONE
mac-security security-list 29 NONE
mac-security security-list 30 NONE
mac-security security-list 31 NONE
mac-security security-list 32 NONE
interface Ethernet ALL
mac-security port 1/45-48,2/45-48 lock-out                                     [b]Disable on TRUNK[/b]
mac-security port 1/1-44,2/1-44 enable                                          [b]Every Ports, Except Trunk[/b]
default mac-security auto-learning port ALL
mac-security auto-learning port 1/1-44,2/1-44 enable                       [b]Alls Ports Exept Trunk[/b]
mac-security auto-learning port 1/1-6,1/8-44,2/1-44 max-addrs 1       [b]Max 1 Computer Per-Port[/b]
mac-security auto-learning port 1/7 max-addrs 2                             [b]IP Phone Piggy Back[/b]
mac-security auto-learning port 1/45-48,2/45-48 max-addrs 25          [b]Trunk As 25, But DISABLED[/b]
exit
mac-security enable
mac-security snmp-lock disable
mac-security intrusion-detect forever                                     [b]Need to be Reactivated by Hand[/b]
mac-security filtering disable
mac-security auto-learning aging-time 60
mac-security learning disable
mac-security learning-ports NONE
no mac-security mac-address-table
!
« Last Edit: January 15, 2015, 08:35:30 AM by SoNix »

Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
Re: MAC Security - On Medium Network Problem
« Reply #3 on: January 16, 2015, 01:25:15 AM »
I found two bugfixes in 5.7.1 that maybe can be related to your problem.

I would try out an Upgrade to 5.7.1.

Cheers
It´s always the networks fault!
networkautobahn.com

Offline SoNix

  • Rookie
  • **
  • Posts: 17
Re: MAC Security - On Medium Network Problem
« Reply #4 on: January 16, 2015, 07:28:19 AM »
Thanx,

I just upgraded 2 switches with the new code :  5.7.1.021.
I will wait to see if the problem re-happen....

I see in the release notes the problems..

Code: [Select]
wi01169594 - Delays in stack port traffic switch between Guest VLAN and Data VLAN for DHCP snooping or mac-max settings.
I really think this one is my problem... (because ip phone, Wyse, Computer lost connection, and reconnect )

Code: [Select]
wi01173795 - MAC addresses were not properly learned on some ports.

Offline Řyvind Nikolaisen

  • Full Member
  • ***
  • Posts: 52
Re: MAC Security - On Medium Network Problem
« Reply #5 on: January 16, 2015, 05:11:42 PM »
Just my 2 cents worth...

We've found that the 5.7.x isn't all that impressive in terms of stack stability, in particular if you run SPB on the stacks. 5.8.0 seems to have fixed most of those problems, but may not have all the fixes of 5.7.1 in other areas as it was released one month earlier. However, wi01169594 and wi01173795 are not on the list of outstanding issues which, by the way, is bloody long!

Best regards,
Řyvind
Best regards,

Řyvind Nikolaisen
Senior Network Architect
NetNordic Communications AS
Avaya ACE Fx #204

Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
Re: MAC Security - On Medium Network Problem
« Reply #6 on: January 17, 2015, 03:32:08 PM »
We've found that the 5.7.x isn't all that impressive in terms of stack stability, in particular if you run SPB on the stacks. 5.8.0 seems to have fixed most of those problems, but may not have all the fixes of 5.7.1 in other areas as it was released one month earlier. However, wi01169594 and wi01173795 are not on the list of outstanding issues which, by the way, is bloody long!
Thanks for that input. I have actually problems with combination of SPB stacks and So 5.8.
5.7.1 runs stable in my expiernce,  but with 5.8 we had very high. Cpu utilization on the base unit when spbm is enabled.
Very interestint that you expiernced problems with 5.7.x.
I have at the moment a case open at the Avaya support.
Hope they provide a fix for the stacking issue.

Cheers
It´s always the networks fault!
networkautobahn.com

Offline SoNix

  • Rookie
  • **
  • Posts: 17
Re: MAC Security - On Medium Network Problem
« Reply #7 on: January 19, 2015, 01:31:03 PM »
Hummm, yeah but according to the Release Notes of the 5.8, but i own 4548GT-PWR...

 "Release 5.8 is supported only on ERS 4800 series."

And the release 5.7.1 solves my problems ;) Everything is working now ;)

Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
Re: MAC Security - On Medium Network Problem
« Reply #8 on: January 20, 2015, 03:22:03 AM »
Thanks for the feedback. Great to hear that everything is working now.

Cheers
It´s always the networks fault!
networkautobahn.com