Trunk, AP and switchport security

berniebbow1 · ‎02-15-2018

I need a guidance how to secure a trunk port which connects to an AP.
Cable from AP is plugged into a wall socket and this wall socket is publicly exposed.
Switchport is configured with VLAN 100 as native and this VLAN is management for AP.
There are also other VLANs allowed on the trunk port and they're used for different SSIDs.

I would like to block all MAC addresses in AP management VLAN except AP's itself.

When I execute:

switchport port-security maximum 3 vlan 100

switchport port-security mac-address 503d.e576.3b30 vlan 100

and then

switchport port-security mac-address 503d.e576.0988 vlan 100

I get error message Total secure mac-addresses on interface GigabitEthernet1/0/17 has reached maximum limit.

When I execute show run interface GigabitEthernet1/0/17

I can see switchport port-security mac-address 503d.e576.3b30 but vlan 100 is missing.

I've configured maximum 3 MAC addresses because when I type show mac address-table interface GigabitEthernet1/0/17 I can see 3 MAC addresses of AP (one for GigabitEthernet and other two for DotRadio0 and DotRadio1).

WS-C3750E-48TD-S
IOS 15.0(2)SE10a

burleyman · ‎02-15-2018

Are you using a wireless controller?

Mike

berniebbow1 · ‎02-15-2018

No, I don't use WLC.

burleyman · ‎02-15-2018

So that means that all the users MAC addresses will show on that port which is why you are reaching the max.

If you were using a WLC all the client MAC's would be at the controllers port and not thew AP's because there is a tunnel created from the AP to the WLC that all the client traffic goes through.

Mike

berniebbow1 · ‎02-15-2018

Let's take a look on my problem from a general view.

I need to define 3 MAC addresses which should be allowed to communicate through a switchport.
Since the switchport is a trunk, I'd need to specify a VLAN, so I'd issue this command: switchport port-security maximum 3 vlan 100.
Then I'd define which MAC addresses are allowed on the switchport:
switchport port-security mac-address 503d.e576.0988 vlan 100

My questions are:

1. why IOS accepts only one MAC address despite the maximum is 3?

2. why when I do sh run int I cannot see VLAN for which secure MAC address was configured.

It seems to me that VLAN context for port security is ignored?

amikat · ‎02-15-2018

Hi,

My explanation to the issue you are experiencing is as follows:

While you have set the maximum number of 3 addresses per Vlan 100 your TOTAL maximum number is still at the default of 1 (please do not ask me the logic). So to achieve what you wish will you please add the command "switchport port-security maximum 3" (in addition to your current "switchport port-security maximum 3 vlan 100") under the interface Gi1/0/17. Also when specifying the "vlan" parameter with the "switchport port-security mac-address ..." the native Vlan is taken as the default (which is your Vlan 100) and as such this particular "vlan" parameter is not displayed within the config file. You can check by the "show port-security interface Gi1/0/17 address" and "show port-security interface Gi1/0/17 vlan" commands.

Best regards,

Antonin