Hello kevin.mcguire,At the

kevin.mcguire · ‎03-12-2015

I support several SG200-26p Small Business switches. As our networking has grown more complex, I'm now starting to venture beyond basic configurations.

With the 200 series switches, is it possible to deny service / turn off a port if an unknown WAP, Switch or additional router is detected on the SG200?

Thanks!

mdobiac · ‎03-12-2015

Hello kevin.mcguire@disney.com,

Here is a link to the admin guide: http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbss/sf20x_sg20x/administration_guide/78-21139.pdf

On page 262 in the beginning of configuration of port security.

Here is some of the information you may be interested in:

Port Security has four modes:
• Classic Lock—All learned MAC addresses on the port are locked, and the
port does not learn any new MAC addresses. The learned addresses are
not subject to aging or re-learning.
• Limited Dynamic Lock—The device learns MAC addresses up to the
configured limit of allowed addresses. After the limit is reached, the device
does not learn additional addresses. In this mode, the addresses are
subject to aging and re-learning.
• Secure Permanent—Keeps the current dynamic MAC addresses
associated with the port and learns up to the maximum number of
addresses allowed on the port (set by Max No. of Addresses Allowed).
Relearning and aging are disabled.
• Secure Delete on Reset—Deletes the current dynamic MAC addresses
associated with the port after reset. New MAC addresses can be learned
as Delete-On-Reset ones up to the maximum addresses allowed on the
port. Relearning and aging are disabled.

Hope this helps,

Michael D.

If this post is helpful please rate or mark as correct.

kevin.mcguire · ‎03-14-2015

Michael,

Thanks for the information. I had looked at this, but the environment in which this network exists is fairly dynamic; it's setup so any users in the facility can connect to the network with computers/tablets/smartphones. If we implemented a MAC address, that would require a level of administrative support that's not available at the location.

This is why I was thinking along the lines of the ports being able to sense packets being received are coming from a router. If that's an available option that triggers a port shutdown, that would be the best answer for out needs.

mdobiac · ‎03-17-2015

Hello kevin.mcguire,

At the access level on a network there are limited options for port security. For APs using the Limited Dynamic Lock will be an option, or guest wireless VLAN for phones/tablets. For devices that will not move locations then Secure permanent will be an option. Also in the admin guide you will probably want to look at the 802.1X for port based access control this may be your most viable option it starts on page 265.

After that it will come down to the network. If you have other security options you use Radius authentication, or being part of a domain.

Any ports not in use to be administratively shut down to avoid rogue connections. Then the other physical standard security practices.

Hope this helps,

Michael D.

If this post is helpful please rate or mark as correct.

network.moh · ‎03-17-2015

Michael

if customer did that to switchport are connect to AP. all new unknown or known client will NEVER get any services! he need radius server and someone monitor his company network.

Thanks,

Denying traffic for unknown routers/WAPS