Michael McNamara

technology, networking, virtualization and IP telephony

Ethernet Routing Switch MAC Address Security

by

1096880_63786041In this day and age network security is becoming more and more of an issue for organizations large and small. There are dozens of Network Access Control (NAC) solutions from a number of high-profile vendors. Unfortunately they can be very costly and painful to deploy. I often get asked about MAC address security and role it can play in helping to secure a network.

MAC Address Security

There’s definitely a role for MAC address security in both large and small networks. It’s certainly not fool proof in today’s world but it’s definitely better than nothing. I would say that smaller networks can probably benefit more from MAC address security, it’s a relatively simple and cost effective (free) way to secure your network if you only have a few switches and only a few hundred devices. If you have a few hundred switches or a few thousand devices then MAC address security is still useful but not to the same degree. Why the difference between large and small networks? The solution doesn’t scale very well… here’s one large caveat – The MAC Address Security Table can hold up to 448 MAC Addresses. As the number of switches increases the management burden increases significantly. In a small network with only a few switches you can easily manually update the MAC security address table and provide a locked-down environment. In larger networks the limitation of the table size will only allow you to utilize an auto-learned MAC address per port configuration. This is still useful to larger organizations that wish to only allow 1 or 2 MAC addresses per switch port (no hubs on this network please). So MAC address filtering in combination with BPDU filtering can really help to provide some control over that edge switch port.

I personally use MAC security to restrict the number of devices that get connected to a single switch port. We also use MAC security at our smaller branch offices to tightly control what devices get connected to the network. Unfortunately since the ‘MAC Address Security Table’ can only hold 448 MAC addresses it’s really not big enough for even a mid-sized organization. If your looking to provide some port level security I would suggest you look at 802.1x authentication using RADIUS to authenticate the MAC addresses.

You can use MAC address security lists to create a list of authorized MAC addresses that are allowed to connect to any port associated with that list. This is very helpful if a user moves his/her device between ports the device will still be authorized since the MAC address is not tied to a physical port but rather a list which is then associated with a set of ports.

When a MAC address violation is detected you have a few options with how to respond. You can partition (isolate) the port where the MAC address violation was detected, this will essentially isolate all devices on the port. You can have the switch filter the destination MAC address (DA) of the offending device. Or you can just alarm via an SNMP trap and the system log and let an engineer or administrator determine what action to take.

Example; you have an IP phone which has a empty PC port on the back of the IP phone. If someone plugs something into the PC port you don’t want to allow that device on the network. If you have the switch configured to partition the port that switch will cut off the offending device and the IP phone. If you have the switch configured just to filter the DA then only communications to the offending device will be impeded.

How to setup a MAC security list?

In this example I’ll setup a MAC security list adding a single MAC address and associating the list with three different ports. This will allow the MAC address to connect to any of the three ports. I’ll also setup the switch so it will partition (isolate) any port where there is a violation recorded.

5520-48T-PWR(config)# mac-security enable
5520-48T-PWR(config)# mac-security security-list 1 add 1
5520-48T-PWR(config)# mac-security security-list 1 add 2
5520-48T-PWR(config)# mac-security security-list 1 add 3
5520-48T-PWR(config)# mac-security mac-address-table address 00-25-84-EB-47-5A security-list 1

If you want the switch to actually do something other than just alarm, you should enable intrusion-detect. I sent the timer to 2 minutes (120 seconds).

5520-48T-PWR(config)#mac-security intrusion-detect enable
5520-48T-PWR(config)# mac-security intruions-timer 120

If you don’t want to partition the port but instead just want to filter the offending MAC address just enable filtering.

5520-48T-PWR(config)#mac-security filtering enable

And finally you need to enable MAC security on the specific ports.

5520-48T-PWR(config)#inter fastEthernet 1-3
5520-48T-PWR(config-if)#mac-security enable
5520-48T-PWR(config-if)#exit
5520-48T-PWR#show mac-security config
MAC Address Security: Enabled
MAC Address Security SNMP-Locked: Disabled
Partition Port on Intrusion Detected: Disabled
DA Filtering on Intrusion Detected: Enabled
MAC Auto-Learning Age-Time:  60 minutes
MAC Auto-Learning Sticky Mode: Disabled
Current Learning Mode: Disabled
Learn by Ports: NONE

I connected an unauthorized device to port 3 and we can see from the logs that the switch is reporting an intrusion.

I    00:00:50:21       50       Link Up Trap for Port: 3
I    00:00:48:19       47       Trap:  s5EtrNewSbsMacAccessViolation
I    00:00:48:19       46       Link Down Trap for Port: 3
I    00:00:48:19       45       Bay Secure intruder MAC 00-24-7f-99-84-70 port 3

How to remove a MAC address or MAC security list?

5520-48T-PWR(config)#show mac-security mac-address-table
Number of addresses: 3

Unit Port Allowed MAC Address   Type
---- ---- ------------------- ---------

Security List Allowed MAC Address   Type
------------- ------------------- ---------
1             00-1E-CA-F3-1D-B4   Static
1             00-24-7F-99-84-70   Static
1             00-25-84-EB-47-5A   Static

Let’s remove these MAC addresses from the MAC address table.

5520-48T-PWR(config)#no mac-security mac-address-table address 00-1E-CA-F3-1D-B4
5520-48T-PWR(config)#show mac-security mac-address-table
Number of addresses: 2

Unit Port Allowed MAC Address   Type
---- ---- ------------------- ---------

Security List Allowed MAC Address   Type
------------- ------------------- ---------
1             00-24-7F-99-84-70   Static
1             00-25-84-EB-47-5A   Static

Let’s remove the entire MAC security list.

5520-48T-PWR(config)#no mac-security security-list 1

How to enable automatic learning?

You can also have the switch auto-learn the MAC addresses either temporarily (leave auto-learning enabled) or permanently (disable auto-learning after you have all the MAC address in the table). Here are some commands to enable continual MAC address learning and restrict the number of MAC addresses to 2.

5520-48T-PWR(config)#interface fa 3
5520-48T-PWR(config-if)#mac-security auto-learning port 3 max-addrs 2
5520-48T-PWR(config-if)#mac-security auto-learning port 3 enable
5520-48T-PWR(config-if)#exit
5520-48T-PWR(config)#show mac-security port 3
Port  Trunk  Security  Auto-Learning  MAC Number Security Locked-out
----  -----  --------  -------------  ---------- -------------------
   3         Enabled      Enabled         2       Disabled
5520-48T-PWR(config)#show mac-security mac-address-table
Number of addresses: 2

Unit Port Allowed MAC Address   Type
---- ---- ------------------- ---------
0    3    00-1E-0B-79-D5-BC   Automatic
0    3    00-1E-CA-F3-1D-B4   Automatic

Security List Allowed MAC Address   Type
------------- ------------------- ---------

Cheers!

References;

http://support.avaya.com/css/P8/documents/100123951
http://support.avaya.com/css/P8/documents/100122355
http://support.avaya.com/css/P8/documents/100095744

Recent Posts

Categories

SUBSCRIBE BY EMAIL