03-22-2007 06:19 AM - edited 07-03-2021 01:49 PM
Guys,
Whats the best way to prevent a user from plugging an AP to any of the Access switches?Is there a feature i can use on the switch that will disable the port instantly it detects an AP is being plugged in?
03-22-2007 07:34 AM
There are a lot of options, many depend on your environment.
Here is what I do to start with:
develop a template for host ports
interface FastEthernet0/3
switchport access vlan 23
switchport mode access
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
srr-queue bandwidth limit 70
power inline never
no mdix auto
no cdp enable
storm-control broadcast level 10.0
storm-control multicast level 40.00
storm-control unicast level 70.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
globally:
ip dhcp snooping vlan 23
ip dhcp snooping
enable ip dhcp snooping trust on ports that connect back to dhcp server - ie: trunk ports
You can also enable ip arp inspection, but do so with planning & caution
if you know the mac of the host, you can enter it into the port-security parameters. Note, by default port-security max is 1 by default, An ap will appear like a hub or switch connected to your switch in which you may see multiple mac on the same switch port.
These are just a few parameters that can be set, but it really depends on your environment
03-22-2007 10:26 PM
thanks for the prompt response.
So i could essentially configure port security with a max of 3 (to cater for VOIP).That way, if someone plugs in an AP in that same port,it will disable given the fact that several mac addresses will flood through that very same port once the AP is live.
Would this work as well?
03-23-2007 02:06 AM
Also, to add on to this. Will using the "set port host" command work as well?From what i understand, running this command on a given port sets the port up in such a way where it can only accept connections from a workstation and nothing else.
Any ideas on this?
Reference:
03-23-2007 06:22 AM
Yes, but I believe "set port host" is CatOS, the IOS equivilent is "switchport host" Both are essentially macros that set the port to access mode and spanning-tree portfast. It can be typed in as little as 4 letters "sw ho" You could go as far as to write your own macro that adds switchport access vlan ..(your vlan) as well. setting the port to access mode is an important step, but adding ip dhcp snooping protection and port security further enhance the security.
03-23-2007 06:29 AM
If you set the max to 3, only 3 devices will be able to connect. Port security will not protect against someone plugging in a router doing nat. The router will do an inline mac rewrite on traffic coming thru it so that all traffic coming thru it appears as the routers' interface that is plugged into your switch.
When you say "cater to VOIP", are you planning on putting an ip phone on the port?
Are you using a cisco voip phone? some models like the 7970 have a 3 port switch built in. You will definitely want the switch port in access mode if you do not want people hanging devices off the phone switch port.
03-26-2007 07:31 PM
I seem to not be gettig the desired results.
I have a Cisco AccessPoint connected to one of the edge switches. What i wanted to do was to test a feature whereby the following would occur.
-If a switchport detects several mac-addresses coming through that one designated port.Consider it a violation as either a user has plugged an unautorised switch/hub/ap.
-Proceed to shutdown the port
i loaded the following commands onto the port in qtn
switchport port-security maximum 3
switchport port-security violation shutdown
However, i noticed that even if i have 6 wireless users hanging off that one Cisco AccessPoint, the port doesn't detect these additional 6 mac-addresses. It still continues to just see on mac-address and that's of the Cisco AccessPoint.Thus it never notices a violation has occured.
Is there something more that i should be doing?
03-27-2007 06:33 AM
Do a show port-security on the switch. It should look similar to the following:
Zone1#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation
(Count) (Count) (Count)
----------------------------------------------------
Fa0/1 1 0 358
Fa0/2 1 0 0
Fa0/3 400 1 0
Fa0/4 400 0 0
Fa0/5 400 22 0
Fa0/6 1 1 0
Fa0/7 1 1 0
Fa0/8 1 0 0
If you look at Fa0/1, there were lots of violations, but current count is 0, while Fa0/3 - 5 have a max of 400 macs and there are 22 clients on port Fa0/5.
NOTE: I use restrict instead of shutdown for our needs.
Just out of curiosity, are you using lwapp access points? The reason I ask, is that with traditional access-points, you would see the additional client macs on the switch port as well , just like a wired switch or hub would do. We are running lwapp APs and we do not see additional client macs on the switch port connected to the AP, perhaps that mac- info is sent encrypted to the controller via Lwapp. For example: I have a Cisco 1020 by my desk with 2 laptops associated to it, but all I see when I do a sh mac-addr inter fa0/9 is the ethernet mac of the AP.
(Cisco Controller) >show client summary
Number of Clients................................ 16
00:14:a5:b8:87:7c PF_Atrium Probing N/A No 802.11b 1
00:14:a5:e1:18:d4 MRoom_15 Associated 1 Yes 802.11b 1
00:17:59:9f:63:ba lounge Associated 2 Yes 802.11b 1
00:17:59:9f:63:e0 lounge Associated 2 No 802.11b 1
So the switch has no knowledge of multiple macs on the port, but the controller has the info per AP. In essence, the AP cam(mac) table is tunneled thru lwapp to the controller and the switch does not know of it.
To prove my theory, I placed port security on the switch port connected to the AP
lounge#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
----------------------------------------------- Fa0/9 1 1 0 Restrict
I do not exceed the count.
Yet I have multiple clients on the AP
(Cisco Controller) >show client summary
00:02:2d:6b:b4:02 lounge Associated
00:13:ce:53:08:32 MRoom_15 Associated
00:13:ce:9e:8c:d6 PF_Atrium Probing
00:17:59:9f:63:ba lounge Associated
00:17:59:9f:63:c0 lounge Associated
So, if you are using lwapp, port-security will not limit users per AP then afterall.
If you are not, then the problem lies elsewhere. What is the output of
"sh port-security" and
"lounge>sh mac-address-table | include Fa0/..."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide