Access Violations and Auto Disable
Introduction
This document will outline two key features of the Tellabs OLT that promote security and reliability in the network:
- Access Violation Alarms – The ability to alarm when access violations have occurred. The alarms give the type and location of the violation.
- Port Auto Disable – Allows the system to automatically disable the port when a violation has occurred.
Document Number
ENG-010526
Applies To
The Access Violation alarms are supported by the FP27.1 release and above of the Tellabs OLT and all versions of the ONTs. The SR29 release and above supports the additional capability to alarm the violations without disabling the port.
Feature Description
The system has the ability to detect a number of off normal conditions on ONT ports alarm the condition, and optionally disable the port:
- Link Flap: Port link state is going up and down repeatedly.
- Max MAC Violation: Number configured MACs on the port have been exceeded.
- Max Authorized Supplicants Violation: Multiple 802.1x supplicants per port are allowed. The configured number of supplicants has been exceeded.
- Max Authorized MABs: The maximum number of MAC Authentication Bypass MACs have been exceeded on this port.
- RSTP Root Protect Notification: A device below the ONT has attempted to become Root.
- BPDU Guard Violation: BPDUs are being received from an ONT port that was not expected to be sending BPDU frames.
- Loopback Violation: Frames are looped on the port and a MAC learned downstream is seen as the source MAC on an upstream packet.
- BPDU Guard: BPDUs have been detected on the port.
- ACL Mode: The ACL mode has been changed and cannot be applied without a reboot of the PON card or deleting and reapplying ACLs.
Some of these conditions are alarms that when enabled inform the system administrator that the violations are occurring in the network. Some alarms can additionally be used to trigger the port to Auto Disable.
Access Violation Auto Disable
The Access Violation Auto Disable function allows the user to disable the port when one of the triggers specified above are activated. The port can either be permanently deactivated or deactivated for a timeout period. The duration of the disable is specified by the Auto Re-Enable timeout. The default disable is 5 minutes. The timeout allows the port to come back online without manual intervention after the timeout has expired.
If the timeout value is set to zero then the port will be permanently disabled. The port must be manually disabled and re-enabled to clear the alarm and re-enable access.
If the Alarms/Notification triggers are enabled, but the Auto Disable is not, then in the FP29 load and above, the alarms will be reported, but the port will remain enabled. In releases prior to FP29, both the trigger and alarm/notification flags must be enabled for the alarms to be reported and the port will always be disabled for the duration of the timeout.
The Access Violation Auto Disable can be configured in the NAC profile icon. Profiles->NAC Tab>Edit icon->Ethernet Port Profiles->
Link Flap Violation
A Link Flap violation occurs when more than 10 Link Up/Down events occur within a minute, or 30 Link Up/Down events occur within 5 minutes.
This typically occurs when the equipment attached to this port has malfunctioned or the cabling or connectors attached to this port are intermittently making connection. The faulty equipment or cabling should be removed or repaired. If this does not remedy the problem it is possible the ONT is faulty and should be replaced.
The Link Flap Violation is configured in the port profile via enabling the Link Flap Violation within the Ethernet Port Profile.
Loopback Detection Violation
The Loopback Detection Violation occurs when the system detects a loopback of packets at an input of an ONT. A Loopback alarm may occur as a result of a reflected packet. This typically occurs when a physical loopback has occurred on the port or between two ports on the system. It has also been seen on certain USB devices when the traffic load is too high or when certain manufacturer's Ethernet ports restart, that packets will be looped back onto the same port. Cabling should be inspected to ensure that the port has not been plugged back into another port on the system. USB hubs should be rebooted/restarted to see if it triggers the Loopback alert.
If the Loopback Detection Violation is enabled and the Auto Port Disable is set within the NAC profile, then when the condition is detected, the port will be alarmed, and disabled for the duration of the Auto Enable Delay.
Max MAC Violation
The Max MAC Violation occurs when the configured number of MACs on the port has been exceeded. Typically, administrators will configure a maximum number of MACs on a port to limit the number of authenticated users and prevent the proliferation of user switches being placed on ports of the system. This may occur if an ACL has been placed on the port and the number of MACs within the ACL has been exceeded, or when the port profile maximum MACs has been exceeded.
Max MACs occur when more than the configured number of MACs are learned. This can happen in two scenarios:
- When in N:N mode and the number of MACs configured in an ACL on that port are exceeded.
- When in the N:N mode and the Port Profile’s “Max MAC” is set and has been exceeded.
The following example shows a Max MACs of three (3) being configured within the ACL profile.
The alarm will indicate the MAC address that caused the MAX MACs Access Violation to be alarmed.
Max Authorized Supplicants Violation
The 802.1x protocol allows one or more users to be authenticated to a RADIUS server on an Ethernet port. The user’s traffic is blocked until authentication is successful. The Max Supplicants Violation occurs when more than the configured 802.1x clients are attached to the port. The port will be disabled when this occurs until the timeout in the Auto Enable Delay has expired. This alarm indicates that an attempt has been made to add additional devices to the network and the number of 802.1x supplicants has been exceeded. Removing the additional devices from the port will correct the problem.
The maximum number of supplicants is configured in the PAE profile via the Maximum Authorized Supplicants attribute. The PAE profile is in the Profiles Menu, Profiles->Ethernet Port Profiles->PAE Tab.
When the maximum number of supplicants is exceeded, it will be alarmed via the Access Violation alarm and the alarm will indicate the MAC address of the device that caused the violation to occur.
Max MAB Clients Violation
The MAB (MAC Authentication Bypass) allows one or more MAC addresses to be authenticated to a RADIUS server on an Ethernet port. The user’s traffic is blocked until authentication is successful. The Max MAB Clients Violation occurs when more than the configured 802.1x clients are attached to the port. The port will be disabled when this occurs until the timeout in the Auto Enable Delay has expired. This alarm indicates that an attempt has been made to add additional MAB devices to the network and the number of PAE supplicants has been exceeded. Removing the additional devices from the port will correct the problem.
The maximum number of MAB supplicants is configured in the NAC Profile Maximum Managed MACs attribute. The PAE profile is in the Profiles Menu, Profiles->Ethernet Port Profiles->PAE Tab.
This violation, if detected, will be alarmed with the Access Violation alarm with the Additional Text Maximum Authorized MABs.
BPDU Guard Violation
The BPDU Guard Violation indicates that BPDU packets are being received on a port that has the BPDU Guard configured on the port. Typically, ONT ports are expected to be attached in most instances to end stations. End stations in most configurations should not be sending BPDU frames into the ONT. This feature is designed to prevent ports that are not a part of the core infrastructure from participating in RSTP and becoming the root bridge of the STP topology. If BPDU Guard is enabled and BPDU frames are seen from that port, the Auto Port disable will be triggered on the port and the port will be disabled.
BPDU Guard is configured in the RSTP profile of the Ethernet port. It can be found in the
Profiles Menu->Ethernet Port Profiles->RSTP Tab in the BPDU Guard Violation attribute.
If a BPDU Guard violation is detected, it will be alarmed via the Access Violation alarm and the Additional Text will indicate BPDU Guard.
Root Protect Notification
The Root Guard Notification occurs when the RSTP Profile’s “Root Protect Notification” is enabled and a port receives an incoming RSTP BPDU, which would result in that downstream port becoming the root of the STP topology. The BPDU will be discarded, and the port will be disabled for the duration of the NAC Profile’s “Auto Enable Delay”. The alarm will clear after the Auto Enable Delay has expired and the port will be re-enabled.
In most network architectures, the ONT ports should be attached to servers, end stations and devices. If a node below the ONT attempts to become the root of the tree, typically this indicates a misconfiguration or misconnection of the network. Typically the OLT uplinks are attached to the core side of the network and the ONTs to end stations and in that configuration it would almost always be a mistake for the root of the spanning tree to be off of an ONT port. In most cases, all traffic in the OLT would end up being sent through that ONT port. The BPDU Root Protect Notification will prevent the device attached to the ONT from becoming the root of the tree and distorting the normal functioning of the spanning tree. One other way that this can occur is misconfiguration of spanning tree attributes on a device below the ONT.
Root protect notification is configured in the RSTP profile. The RSTP profile is found in the Profiles Menu-> Ethernet Port Profiles-> RSTP Profile.
The root protect notification, if enabled, will cause the Access Violation alarm to be sent with an Additional Text field indicating <Root Protect>. The BPDU will be discarded and the port disabled for the duration of the NAC Profile’s Auto Enable Delay timeout.
Port Security Violation
The Port Security Access Violation will be alarmed when a sticky MAC has been determined to have moved from the port where it was originally learned. This alarm is used to detect equipment being moved within the OLT. The following alarm will be reported if a Port Security Violation is detected. The alarm will indicate the MAC address that had been learned as a sticky MAC and then perform a station move. The MAC will be blocked on the new port, and the port will remain enabled. The Port Security Access Violation alarm is not configurable and will be reported on any sticky MAC that reports a station move.
Discard Static IP
The Discard Static IP on Untrusted Port Access Violation alarm occurs when the OLT has DAI enabled on a VLAN and a Static IP is detected operating on an untrusted port. With releases greater than SR31.4_604081 the software will detect this violation and block the port for the duration of the auto-disable timeout. The alarm will indicate the MAC that performed the violation and the port on which the violation occurred. The alarm is cleared once the timeout expires and the Static IP is removed from the port.
ACL Mode
The ACL Mode Access Violation occurs when the ACL Mode has been changed from Basic Default Deny to Extended Default Deny and there are existing ACLs on the port. They cannot be properly updated on the ports and so this alarm is raised to inform the user that the ACL behavior may not match their expectations. The existing ACLs will continue to exhibit the existing Basic ACL behavior. To correct the problem, the administrator must do one of two things:
- Reboot the OIU8 card, which will cause all ACLs to be re-applied with the correct Extended ACL behavior.
- Remove all ACLs from all Service Profiles in use, then re-apply them to the service profiles.
Video
On this page