In this day and age network security is becoming more and more of an issue for organizations large and small. There are dozens of Network Access Control (NAC) solutions from a number of high-profile vendors. Unfortunately they can be very costly and painful to deploy. I often get asked about MAC address security and role it can play in helping to secure a network.
MAC Address Security
There’s definitely a role for MAC address security in both large and small networks. It’s certainly not fool proof in today’s world but it’s definitely better than nothing. I would say that smaller networks can probably benefit more from MAC address security, it’s a relatively simple and cost effective (free) way to secure your network if you only have a few switches and only a few hundred devices. If you have a few hundred switches or a few thousand devices then MAC address security is still useful but not to the same degree. Why the difference between large and small networks? The solution doesn’t scale very well… here’s one large caveat – The MAC Address Security Table can hold up to 448 MAC Addresses. As the number of switches increases the management burden increases significantly. In a small network with only a few switches you can easily manually update the MAC security address table and provide a locked-down environment. In larger networks the limitation of the table size will only allow you to utilize an auto-learned MAC address per port configuration. This is still useful to larger organizations that wish to only allow 1 or 2 MAC addresses per switch port (no hubs on this network please). So MAC address filtering in combination with BPDU filtering can really help to provide some control over that edge switch port.
I personally use MAC security to restrict the number of devices that get connected to a single switch port. We also use MAC security at our smaller branch offices to tightly control what devices get connected to the network. Unfortunately since the ‘MAC Address Security Table’ can only hold 448 MAC addresses it’s really not big enough for even a mid-sized organization. If your looking to provide some port level security I would suggest you look at 802.1x authentication using RADIUS to authenticate the MAC addresses.
You can use MAC address security lists to create a list of authorized MAC addresses that are allowed to connect to any port associated with that list. This is very helpful if a user moves his/her device between ports the device will still be authorized since the MAC address is not tied to a physical port but rather a list which is then associated with a set of ports.
When a MAC address violation is detected you have a few options with how to respond. You can partition (isolate) the port where the MAC address violation was detected, this will essentially isolate all devices on the port. You can have the switch filter the destination MAC address (DA) of the offending device. Or you can just alarm via an SNMP trap and the system log and let an engineer or administrator determine what action to take.
Example; you have an IP phone which has a empty PC port on the back of the IP phone. If someone plugs something into the PC port you don’t want to allow that device on the network. If you have the switch configured to partition the port that switch will cut off the offending device and the IP phone. If you have the switch configured just to filter the DA then only communications to the offending device will be impeded.
How to setup a MAC security list?
In this example I’ll setup a MAC security list adding a single MAC address and associating the list with three different ports. This will allow the MAC address to connect to any of the three ports. I’ll also setup the switch so it will partition (isolate) any port where there is a violation recorded.
5520-48T-PWR(config)# mac-security enable 5520-48T-PWR(config)# mac-security security-list 1 add 1 5520-48T-PWR(config)# mac-security security-list 1 add 2 5520-48T-PWR(config)# mac-security security-list 1 add 3 5520-48T-PWR(config)# mac-security mac-address-table address 00-25-84-EB-47-5A security-list 1
If you want the switch to actually do something other than just alarm, you should enable intrusion-detect. I sent the timer to 2 minutes (120 seconds).
5520-48T-PWR(config)#mac-security intrusion-detect enable 5520-48T-PWR(config)# mac-security intruions-timer 120
If you don’t want to partition the port but instead just want to filter the offending MAC address just enable filtering.
5520-48T-PWR(config)#mac-security filtering enable
And finally you need to enable MAC security on the specific ports.
5520-48T-PWR(config)#inter fastEthernet 1-3 5520-48T-PWR(config-if)#mac-security enable 5520-48T-PWR(config-if)#exit
5520-48T-PWR#show mac-security config MAC Address Security: Enabled MAC Address Security SNMP-Locked: Disabled Partition Port on Intrusion Detected: Disabled DA Filtering on Intrusion Detected: Enabled MAC Auto-Learning Age-Time: 60 minutes MAC Auto-Learning Sticky Mode: Disabled Current Learning Mode: Disabled Learn by Ports: NONE
I connected an unauthorized device to port 3 and we can see from the logs that the switch is reporting an intrusion.
I 00:00:50:21 50 Link Up Trap for Port: 3 I 00:00:48:19 47 Trap: s5EtrNewSbsMacAccessViolation I 00:00:48:19 46 Link Down Trap for Port: 3 I 00:00:48:19 45 Bay Secure intruder MAC 00-24-7f-99-84-70 port 3
How to remove a MAC address or MAC security list?
5520-48T-PWR(config)#show mac-security mac-address-table Number of addresses: 3 Unit Port Allowed MAC Address Type ---- ---- ------------------- --------- Security List Allowed MAC Address Type ------------- ------------------- --------- 1 00-1E-CA-F3-1D-B4 Static 1 00-24-7F-99-84-70 Static 1 00-25-84-EB-47-5A Static
Let’s remove these MAC addresses from the MAC address table.
5520-48T-PWR(config)#no mac-security mac-address-table address 00-1E-CA-F3-1D-B4 5520-48T-PWR(config)#show mac-security mac-address-table Number of addresses: 2 Unit Port Allowed MAC Address Type ---- ---- ------------------- --------- Security List Allowed MAC Address Type ------------- ------------------- --------- 1 00-24-7F-99-84-70 Static 1 00-25-84-EB-47-5A Static
Let’s remove the entire MAC security list.
5520-48T-PWR(config)#no mac-security security-list 1
How to enable automatic learning?
You can also have the switch auto-learn the MAC addresses either temporarily (leave auto-learning enabled) or permanently (disable auto-learning after you have all the MAC address in the table). Here are some commands to enable continual MAC address learning and restrict the number of MAC addresses to 2.
5520-48T-PWR(config)#interface fa 3 5520-48T-PWR(config-if)#mac-security auto-learning port 3 max-addrs 2 5520-48T-PWR(config-if)#mac-security auto-learning port 3 enable 5520-48T-PWR(config-if)#exit 5520-48T-PWR(config)#show mac-security port 3 Port Trunk Security Auto-Learning MAC Number Security Locked-out ---- ----- -------- ------------- ---------- ------------------- 3 Enabled Enabled 2 Disabled 5520-48T-PWR(config)#show mac-security mac-address-table Number of addresses: 2 Unit Port Allowed MAC Address Type ---- ---- ------------------- --------- 0 3 00-1E-0B-79-D5-BC Automatic 0 3 00-1E-CA-F3-1D-B4 Automatic Security List Allowed MAC Address Type ------------- ------------------- ---------
As u said is not easy to control each one port. Is important to say what kind of hardware support that configuration. Imagine how to control in a telecommunication company!
Michael McNamara says
Thanks for the comment Michel!
Here’s another dirty trick you can use mac security for.
We’ve had a couple of buildings which had more than their fair share of loops created (bored student in a study room in the library with two ports and a patch cord…). Loop detection would of course down one of the ports, but every now and then the upstream loop detection would fire off as well, taking the whole building switch down. The edge loop detection simply couldn’t kill the loop fast enough to guarantee that the upstream loop detection wouldn’t fire.
So, in addition to spanning tree, we also configured mac security with auto learning and a max of 8 addresses on each port. This ends up downing a looped port within 10 or 20 packets, far faster than most other loop detections.
Of course, there’s one catch (isn’t there always?) If you configure this on an 8300, you need to be aware that the list of auto-learned addresses never times out until it’s manually cleared, or the link is physically downed. If you have a port with a cheapo switch at the other end and max addresses set to 8, you can have one different person plug in per week, and on the 9th week the port will go down. Other than that… let’s call it a quirk… it’s worked great for us.
Michael McNamara says
Thanks for the comment Frank!
I’m curious about your comment regarding the upstream loop detection inadvertently disconnecting your edge switches before the projection could kick in at the edge. How long ago did you test this? I tested these features thoroughly about a year ago now and found with Spanning Tree w/FastStart, BPDU filtering, and rate-limiting on the edge switches that SLPP or CP-LIMIT would not kick in at the core before the edge was was locked down.
There have been changes to SLPP where you can reset the counter after a certain interval… and rate-limiting on the edge keeps CP-LIMIT from kicking off immediately.
We’ve been off of our old 8600 core for about a year and a half now, so I can believe things may have changed.
A good chunk of our problems have also come from the fact that our 8300 units, which already are a little twitchy in the control plane, only had 128M mem (and some still do!). This reduces their ability to handle the various loop detection protocols in a timely fashion, and was a good chunk of our problems.
For a neat party trick, log in to an 8300 with multiple uplinks and using STP to block some of them. Type in a grep command, looking for a particular string in the PCMCIA log files, like messages about a problematic port. Hit return, and wonder why the newline doesn’t get echoed back. A few moments later, realize that the grep command is completely monopolizing the CPU, to the point where it’s not bothering to do other unimportant stuff, like processing those BPDU frames. No BPDU, links unblock, core sees a loop, boom.
Nice article and great timing… I was testing MAC filtering a few days ago.
Have you tried MAC authentication against a RADIUS server? Could you give any hint on the configuration required in the switch?
I’m thinking that the best solution for our network (many buildings) is a central RADIUS server which has all the allowed MAC addresses.
Michael McNamara says
I haven’t kicked it around myself but I believe it’s documented in this guide;
Year the hole NAC thing has it ups and downs. I like that you can configure it and it will work
with no additional cost out of the box on most Avaya switches. But if you start to activate it on all your access ports, you will have quick a lot of work to do if some changes are made in your network e.g. a user is moving to another room.
Actually, we just went the NAC route (simple MAC auth, no supplicants on our clients) for exactly that reason. The nice thing about NAC is that once it’s set up properly, it ends up being less work to handle moves, since your end user configuration policies (VLANs, QoS, filtering rules, etc) follow your users around to whatever port they happen to be plugged in to, rather than requiring manual work to keep up with your users.
We’re testing mac security. It seems to work perfectly with the 4550 but with our ers 470 (firmware 3.7.4) some ports are shut without reasons (no hub behind for exemple).
Has someone tried mac-security with the ers 470 ?
Michael McNamara says
What do you have connected to the actual port? Are you limiting the number of MAC addresses per port beyond just enabling MAC security? You might want to check the MAC/FDB table and see how many FDB entries are associated with the port(s) in question. Depending on the configuration you can end up with the same MAC appearing multiple times in the MAC/FDB tables which will trip the up MAC security if you are limiting the number of MAC addresses to be learned.
it’s like the last part of your topic “Here are some commands to enable continual MAC address learning and restrict the number of MAC addresses to 2”.
We’re testing this with 4 differents stacks of ers470. The ports are partionned as we want if someone plugs a switch and computers (that can be seen in the log)…..but….sometimes a port is partionned and there is no reason (juste a simple PC connected or a printer) and we don’t see why (no traps, no multiples times in the mac/fdb tables, just 1 adress associated with the port)
We are also testing this with three 4550……and everything works fine. The same config (i’ll post it tomorrow) is used.
Just for confirmation : mac-security is buggy with ers4700 firmware 3.7x (i found other peoples who have tested it and had the same bug…)
Hi Michael ,
“The number 448 if it is the maximum size no matter how many units in one stack ?”