Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2112
Views
0
Helpful
2
Replies

Port security for a access port

Go to solution
wender putters
Level 1
Level 1

‎01-22-2014 01:04 AM - edited ‎03-07-2019 05:43 PM

Hello everyone.

Im building a setup where i have a C2960 switch connected to a Cisco AP-1142.

The switch and access point will have 2 vlans, one for business use and one for guests (internet only).

So between the switch and the AP i plan to have a dot1q trunk.

Im worried that somebody who is connected to the guest network (which has a password anyone can get from the reception) can execute a cam overflow attack which will overload the switch.

What feature would you suggest that would prevent this?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
devils_advocate
Level 7
Level 7

‎01-22-2014 05:01 AM

Port security will allow you to limit the number of MAC addresses learned on that switchport but its difficult to implement for an Access Point port because its going to have lots of MAC addresses depending on the amount of Wifi users connected.

How many are you expecting to connect roughly?

You could enable port security and set the Maximum to something like 25 or 50 and combine this with an aging time so the switch removed the learned MAC addresses once they have become inactive for X amount of seconds.

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-22-2014 05:10 AM

You need to look into DHCP snooping together wtih Dynamic Arp Inspection (DAI) for this.

Basically DHCP snooping listens in to the DHCP requests and builds a table of IP to mac bindings. DAI then listens to all arp requests and verifies than the IP to mac mappings are valid ie. they are in the DHCP snooping database. If they are not then they are not allowed.

If you configure a static IP on the client the traffic will not be allowed because there is no entry for it in the DHCP snooping database.

If you do need to allow certain static IPs you can manually add these so that they are not dropped.

See this link for details. The chapter linked to is for DHCP snooping and the next chapter is for DAI -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

see also this white paper -

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
devils_advocate
Level 7
Level 7

‎01-22-2014 05:01 AM

Port security will allow you to limit the number of MAC addresses learned on that switchport but its difficult to implement for an Access Point port because its going to have lots of MAC addresses depending on the amount of Wifi users connected.

How many are you expecting to connect roughly?

You could enable port security and set the Maximum to something like 25 or 50 and combine this with an aging time so the switch removed the learned MAC addresses once they have become inactive for X amount of seconds.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-22-2014 05:10 AM

You need to look into DHCP snooping together wtih Dynamic Arp Inspection (DAI) for this.

Basically DHCP snooping listens in to the DHCP requests and builds a table of IP to mac bindings. DAI then listens to all arp requests and verifies than the IP to mac mappings are valid ie. they are in the DHCP snooping database. If they are not then they are not allowed.

If you configure a static IP on the client the traffic will not be allowed because there is no entry for it in the DHCP snooping database.

If you do need to allow certain static IPs you can manually add these so that they are not dropped.

See this link for details. The chapter linked to is for DHCP snooping and the next chapter is for DAI -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

see also this white paper -

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card