cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8086
Views
0
Helpful
12
Replies

how to block an Access Point or home wireless router

TECH-JEFF
Level 1
Level 1

We have an office with some staff bringing in home routers like Linksys, DLink, TP-Link, etc plugging in our network to have a wireless network in their mobile phones.

Sometimes hogs up our bandwidth and exceeds our limits. How do we block these devices via mac address. Our L2 switch is a 2960 Catalyst.

Thanks

Jeff

Jefferson Co
12 Replies 12

Pawan Raut
Level 4
Level 4

You can create mac based acl deny the suspected endpoint mac and allow rest

reference MAC ACL configuration is as below

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_0/security/configuration/guide/n1000v_security/security_9mac_acls.html

@Pawan

I tried the command given in the article, just one quick question, in the command

{permit | deny} source destination protocol

if I will deny the AP/Router, what is the source here and what is the destination here? for the protocol, is it http/https?

Thanks

Jeff

Jefferson Co

I tried typing in this command,

deny <mac-address of the wirless AP/Router> 0000.00ff.ffff<mac address mask> any

it didn't work, so I went on to check possibly a faulty port of the device, I went on and instead denied the port of the source switch (Cisco) but it didn't worl either.

Thanks

Jeff

Jefferson Co

hi,

as mentioned above, you could leverage port security feature on your L2 switch.

switchport port-security
switchport port-security maximum x    <<< x = MAXIMUM MAC ADDRESS
switchport port-security violation shutdown    <<< DEFAULT IS SHUTDOWN

I don't see that working well. It will work if you unplug something and then plug a different device in. If there was nothing plugged in and you plug the router in, it is now the only mac, assuming the user plugs the wan port into your network. It will have 1 ip and 1 mac.Devices behind it will be nat'ed.

Define port security on all ports. After awhile make it sticky. This will add the learned macs to the running config. This won't work if your users move around with laptops and expect to plug in anywhere. Shutdown unused ports.

Just an update, I actually tried doing this:

mac access-list extended <ACL name>

deny any host <device mac address>

went to the interface and typed in

mac access-group <ACL name> in

But this stops any traffic or packets on the port, as in totally no traffic though physical connection lights are still flashing and lit up, there are no connections

I guess this doesn't solve my question since it stopped the whole traffic instead of just the external device (router/AP0.

As for the port security, I've read that and I might give it a try.

As for the IT policy, I guess you guys all know that usually or most of the time, if your boss is a Chinese National (not all but mostly a very old school Chinese) didn't implement any policies, so I guess it's up for us (TECH) to implement this. :)

Thanks for all the inputs, really appreciate the advices. As for the advice about ASA, I guess in my years of using a frewall like other brands, I've had a hard time with ASA, I do know it is one of a secured device but confugration wise eventhough I've used the asdm, still a little different from other firewall devices. I guess there's still a lot of learning to do with ASA.

Jeff

Jefferson Co

I could be wrong with mac acl's but most acls have an implicit deny at the end so you would need to add permit any at the end otherwise everything is blocked.

Port security is a far better solution, by doing what you are doesn't make any sense, as you are being reactive rather than proactive.

In the absence of NAC, it's a good solution, the downside is it can add an administrative overhead, especially in an environment where nodes move around frequently.

Re the question, you are blocking the AP MAC, not that of the associated clients.

Martin

BTW, I've noticed that whenever I entered confide mode and start typing

mac access-lists

before Im able to enter the name, I need to enter

mac access-lists extended (name)

is this ok or is there a difference, because I cant type in the ACL name without typing in the extended.

Thanks

Jeff

Jefferson Co

Martin Carr
Level 4
Level 4

I would guess that this is not included within your IT policy stating what they are doing is prohibited? In addition to the issue you are having, there are also security issues.

Another method in addition is to utilize port-security.

Martin

skpooe001
Level 1
Level 1

Hi,

 

To be honest with you, get the Mac Address which is causing this problems, trace-it to the access port and block it and they will have to come to you eventually.

 

Command to be used on Layer for blocking MAC Addresses.

mac-address-table static 0000.0000.0000 vlan X drop

 

Or just get yourself an ASA and create your internet policies, that way you have full control of your network.

 

Recommendation create an IT policy for this before thing get out of hand.

 

Thanks

devils_advocate
Level 7
Level 7

You need to implement something which is going to prevent users plugging in a home router/switch etc.

Denying by MAC may work but you need to know the MAC (s) first and you need to change the ACL's if they change the device. This approach will work but requires more work on your part.

Ideally your company needs to enforce rules, user education is the best way to go. In my company, if somebody did that, it would be a disciplinary offence.

The best way to block it is to use Port Security and restrict the MAC addresses.

Work out how many MAC addresses are needed per port, one if a single host or two if you have IP phones etc.

Then implement port security and limit the amount of addresses to 1 or 2.

You can even leverage the sticky option so it only allows the first MAC address (es) it sees.

Most switches/routers/ap's will have their own MAC address, combined with two attached hosts will be three which is more than the 1/2 you are allowing with port security.

Enforce the default shut down option and force the users to call when the ports err-disable. 

Personally it would be a warning first, then disciplinary action for a second time....but thats just me :)

Review Cisco Networking for a $25 gift card