I was hoping to use port security on a trunk port which has an AP connected. However when i enable the port security I lose the AP.
VLAN 4 - Wireless clients
VLAN 5 - Management
switchport trunk native vlan 5
switchport trunk allowed vlan 4, 5
switchport mode trunk
switchport port-security mac-address 1234.abcd.1234
With this configuration I removed the trunk native line, this makes the AP drop off the network.
I added switchport port-secruity to enable the security and this also drops it off the network.
I'm having a brain melt as I'm not sure what the issue is here, after following Cisco guidelines. Ideally I should have the native VLAN as VLAN X which is purly for untagged traffic and the AP on the management and the wireless clients on 4, with the port locak so that vlan 5 on this port is locked to the one MAC address of the AP.
Any help or pointers much appreciated.
Try to post the output of the 'show mac-address-table dynamic interface g1/0/45' before enabling the port-security
What's the state of the port after you enable the port-security (and the AP becomes unreachable)?
Try to post the output of the 'debug port-security'.
Show mac address-table dynamic interface Gi1/0/45
Vlan Mac Address Type Ports
---- ----------- -------- -----
101 1234.abcd.1234 DYNAMIC Gi1/0/45
101 1234.abcd.4321 DYNAMIC Gi1/0/45
When I enabled port security it maintains an open state for a while.
It changes state when a client on VLAN 4 tries to connect to the network. Yet my MAC address is on VLAN 101 or the native VLAN and thus there should be no lockdown for VLAN 4. So I tried having a different subnet for the native but when I do this the AP goes offline also but this might be a VLAN tagging issue with the unit.
Right now I just want to lock the port so the AP cant be changed about or messed with.
When using "switchport port-security mac address" command with trunks you should pay attention to the "vlan" parameter. If vlan ID is not specified the native vlan is used.
Will you please try this command as "switchport port-security mac-address 1234.abcd.1234 vlan 5" and see if that makes any progress.
Thanks for the reply. Yes I'm aware of the vlan parameter. In fact the above config does have the vlan parameter specified but because the native vlan is the same it hides it. If I change the native vlan to another one then the line has the vlan parameter back in it, but this is when the AP fulls off the network as stated above.
Thanks for the feedback. I am sorry I misunderstood your description. If I follow correctly your AP is connected via native vlan 5 and you would like to "lock" the port as for this AP, not for the wireless clients in vlan 4.
First of all if your AP mac address is 1234.abcd.1234 at Gi 1/0/45 then I do not understand why it is seen within vlan 101, not vlan 5 - can you please comment.
When configuring port-security feature with trunk, there are several (max) counts not to be exceeded. I understand that you wish to have only 1 mac address at vlan 5 (specified via the "switchport port-security mac-address 1234.abcd.1234" command). In addition to that you should specify the total max addresses per Gi 1/0/45, ie. both vlans 4 and 5 (it is set to only 1 by default !).
The following configuration lines are valid for typical L2 switch (these can differ for high end boxes):
switchport port-security max value (where value is the maximum number of mac addresses allowed at Gi 1/0/45)
switchport port-security max 1 vlan 5
In addition to that you can specify the maximum default per-vlan addresses via the "switchport port-security max value vlan" (in my view not necessary here).
I hope I understand your aim and my post makes sense. Good luck!
Amikat says all.
Consider also default parameters:
When port security is enabled, the default maximum number of secure MAC addresses is 1 (as already said) and the default violation mode is shutdown.
The violation possibilities are: restrict (drops packets with unknown source addresses and causes the SecurityViolation counter to increment), shutdown (puts the interface into the error-disabled state), shutdown vlan ( the VLAN is error-disabled instead of the entire port when a violation occurs).
If you leave the default violation action, in case of violation the whole interface will be shutted down and you'll lose AP.
I can add...why not manage/control the access of the AP via ACL on the L3 router gateway or via internal AP firewall?
The point I'm trying to get to is that no one unplugs the AP and plugs a rouge laptop into the port.
By changing the mode it makes no difference as it just drops traffic flowing through the AP as the AP mac address is the first seen.
Thanks so I think I understand what your saying.
When we enable port security on a port it is across all vlan if it is a trunk port and there is no way to just say only vlan 5 has a violation trigger and vlan 4 is fine to flow??
Is this the standard practise to secure ports which are within public reach ??
My mistake on the pasting it should say VLAN 5 not VLAN 101.
So with an AP the amount of mac address over the course of a day can be very high in some areas. So are we saying that in fact it is not possible to lock a port to secure a AP on the network?
To make it clearer the aim is to stop someone plugging a laptop into the port the AP is plugged into. Although they are either high or in secure locations I want to make sure I have covered myself. SO the aim is to have the port locaked to the AP mac address but to allow all other traffic to other VLAN through withou any port restrictions. Only if someone plugs into the port should the port shutdown.
Hope that makes better sense.
Thanks for the feedback. It has been quite some time since my last post to you but I hope I still can understand your aim. If so my suggestion is as follows.
In addition to your "int gi 1/0/45" configuration as appears in your original post can you please add these two configuration commands (under int gi 1/0/45):
switchport port-security max 50
switchport port-security max 1 vlan 5
and please try if the result is as expected.
The number "50" is my estimate of your "very high number" - you can change this according your real requirements. This configuration should guarantee that only your AP can connect via Vlan 5, the rest (50 - 1 = 49) can be from Vlan 4 (clients).