01-22-2014 01:04 AM - edited 03-07-2019 05:43 PM
Hello everyone.
Im building a setup where i have a C2960 switch connected to a Cisco AP-1142.
The switch and access point will have 2 vlans, one for business use and one for guests (internet only).
So between the switch and the AP i plan to have a dot1q trunk.
Im worried that somebody who is connected to the guest network (which has a password anyone can get from the reception) can execute a cam overflow attack which will overload the switch.
What feature would you suggest that would prevent this?
Solved! Go to Solution.
01-22-2014 05:01 AM
Port security will allow you to limit the number of MAC addresses learned on that switchport but its difficult to implement for an Access Point port because its going to have lots of MAC addresses depending on the amount of Wifi users connected.
How many are you expecting to connect roughly?
You could enable port security and set the Maximum to something like 25 or 50 and combine this with an aging time so the switch removed the learned MAC addresses once they have become inactive for X amount of seconds.
01-22-2014 05:10 AM
You need to look into DHCP snooping together wtih Dynamic Arp Inspection (DAI) for this.
Basically DHCP snooping listens in to the DHCP requests and builds a table of IP to mac bindings. DAI then listens to all arp requests and verifies than the IP to mac mappings are valid ie. they are in the DHCP snooping database. If they are not then they are not allowed.
If you configure a static IP on the client the traffic will not be allowed because there is no entry for it in the DHCP snooping database.
If you do need to allow certain static IPs you can manually add these so that they are not dropped.
See this link for details. The chapter linked to is for DHCP snooping and the next chapter is for DAI -
see also this white paper -
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html
Jon
01-22-2014 05:01 AM
Port security will allow you to limit the number of MAC addresses learned on that switchport but its difficult to implement for an Access Point port because its going to have lots of MAC addresses depending on the amount of Wifi users connected.
How many are you expecting to connect roughly?
You could enable port security and set the Maximum to something like 25 or 50 and combine this with an aging time so the switch removed the learned MAC addresses once they have become inactive for X amount of seconds.
01-22-2014 05:10 AM
You need to look into DHCP snooping together wtih Dynamic Arp Inspection (DAI) for this.
Basically DHCP snooping listens in to the DHCP requests and builds a table of IP to mac bindings. DAI then listens to all arp requests and verifies than the IP to mac mappings are valid ie. they are in the DHCP snooping database. If they are not then they are not allowed.
If you configure a static IP on the client the traffic will not be allowed because there is no entry for it in the DHCP snooping database.
If you do need to allow certain static IPs you can manually add these so that they are not dropped.
See this link for details. The chapter linked to is for DHCP snooping and the next chapter is for DAI -
see also this white paper -
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide