“The number 448 if it is the maximum size no matter how many units in one stack ?”

Just for confirmation : mac-security is buggy with ers4700 firmware 3.7x (i found other peoples who have tested it and had the same bug…)

Hi Karky,

What do you have connected to the actual port? Are you limiting the number of MAC addresses per port beyond just enabling MAC security? You might want to check the MAC/FDB table and see how many FDB entries are associated with the port(s) in question. Depending on the configuration you can end up with the same MAC appearing multiple times in the MAC/FDB tables which will trip the up MAC security if you are limiting the number of MAC addresses to be learned.

Cheers!

We’re testing mac security. It seems to work perfectly with the 4550 but with our ers 470 (firmware 3.7.4) some ports are shut without reasons (no hub behind for exemple).
Has someone tried mac-security with the ers 470 ?

Actually, we just went the NAC route (simple MAC auth, no supplicants on our clients) for exactly that reason. The nice thing about NAC is that once it’s set up properly, it ends up being less work to handle moves, since your end user configuration policies (VLANs, QoS, filtering rules, etc) follow your users around to whatever port they happen to be plugged in to, rather than requiring manual work to keep up with your users.

We’ve been off of our old 8600 core for about a year and a half now, so I can believe things may have changed.

A good chunk of our problems have also come from the fact that our 8300 units, which already are a little twitchy in the control plane, only had 128M mem (and some still do!). This reduces their ability to handle the various loop detection protocols in a timely fashion, and was a good chunk of our problems.

For a neat party trick, log in to an 8300 with multiple uplinks and using STP to block some of them. Type in a grep command, looking for a particular string in the PCMCIA log files, like messages about a problematic port. Hit return, and wonder why the newline doesn’t get echoed back. A few moments later, realize that the grep command is completely monopolizing the CPU, to the point where it’s not bothering to do other unimportant stuff, like processing those BPDU frames. No BPDU, links unblock, core sees a loop, boom.

Hi Loannis,

I haven’t kicked it around myself but I believe it’s documented in this guide;

http://support.avaya.com/css/P8/documents/100099173

Cheers!

Thanks for the comment Frank!

I’m curious about your comment regarding the upstream loop detection inadvertently disconnecting your edge switches before the projection could kick in at the edge. How long ago did you test this? I tested these features thoroughly about a year ago now and found with Spanning Tree w/FastStart, BPDU filtering, and rate-limiting on the edge switches that SLPP or CP-LIMIT would not kick in at the core before the edge was was locked down.

There have been changes to SLPP where you can reset the counter after a certain interval… and rate-limiting on the edge keeps CP-LIMIT from kicking off immediately.

Cheers!

Thanks for the comment Michel!

Have you tried MAC authentication against a RADIUS server? Could you give any hint on the configuration required in the switch?
I’m thinking that the best solution for our network (many buildings) is a central RADIUS server which has all the allowed MAC addresses.

We’ve had a couple of buildings which had more than their fair share of loops created (bored student in a study room in the library with two ports and a patch cord…). Loop detection would of course down one of the ports, but every now and then the upstream loop detection would fire off as well, taking the whole building switch down. The edge loop detection simply couldn’t kill the loop fast enough to guarantee that the upstream loop detection wouldn’t fire.

So, in addition to spanning tree, we also configured mac security with auto learning and a max of 8 addresses on each port. This ends up downing a looped port within 10 or 20 packets, far faster than most other loop detections.

Of course, there’s one catch (isn’t there always?) If you configure this on an 8300, you need to be aware that the list of auto-learned addresses never times out until it’s manually cleared, or the link is physically downed. If you have a port with a cheapo switch at the other end and max addresses set to 8, you can have one different person plug in per week, and on the 9th week the port will go down. Other than that… let’s call it a quirk… it’s worked great for us.