Stop Rogue APs

Unanswered Question
Mar 22nd, 2007

Guys,

Whats the best way to prevent a user from plugging an AP to any of the Access switches?Is there a feature i can use on the switch that will disable the port instantly it detects an AP is being plugged in?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
ericgarnel Thu, 03/22/2007 - 07:34

There are a lot of options, many depend on your environment.

Here is what I do to start with:

develop a template for host ports

interface FastEthernet0/3

switchport access vlan 23

switchport mode access

switchport port-security

switchport port-security aging time 5

switchport port-security violation restrict

srr-queue bandwidth limit 70

power inline never

no mdix auto

no cdp enable

storm-control broadcast level 10.0

storm-control multicast level 40.00

storm-control unicast level 70.00

storm-control action shutdown

spanning-tree portfast

spanning-tree bpduguard enable

globally:

ip dhcp snooping vlan 23

ip dhcp snooping

enable ip dhcp snooping trust on ports that connect back to dhcp server - ie: trunk ports

You can also enable ip arp inspection, but do so with planning & caution

if you know the mac of the host, you can enter it into the port-security parameters. Note, by default port-security max is 1 by default, An ap will appear like a hub or switch connected to your switch in which you may see multiple mac on the same switch port.

These are just a few parameters that can be set, but it really depends on your environment

echelon360 Thu, 03/22/2007 - 22:26

thanks for the prompt response.

So i could essentially configure port security with a max of 3 (to cater for VOIP).That way, if someone plugs in an AP in that same port,it will disable given the fact that several mac addresses will flood through that very same port once the AP is live.

Would this work as well?

echelon360 Fri, 03/23/2007 - 02:06

Also, to add on to this. Will using the "set port host" command work as well?From what i understand, running this command on a given port sets the port up in such a way where it can only accept connections from a workstation and nothing else.

Any ideas on this?

Reference:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_command_reference_chapter09186a00802db72f.html#wp1102006

ericgarnel Fri, 03/23/2007 - 06:22

Yes, but I believe "set port host" is CatOS, the IOS equivilent is "switchport host" Both are essentially macros that set the port to access mode and spanning-tree portfast. It can be typed in as little as 4 letters "sw ho" You could go as far as to write your own macro that adds switchport access vlan ..(your vlan) as well. setting the port to access mode is an important step, but adding ip dhcp snooping protection and port security further enhance the security.

ericgarnel Fri, 03/23/2007 - 06:29

If you set the max to 3, only 3 devices will be able to connect. Port security will not protect against someone plugging in a router doing nat. The router will do an inline mac rewrite on traffic coming thru it so that all traffic coming thru it appears as the routers' interface that is plugged into your switch.

When you say "cater to VOIP", are you planning on putting an ip phone on the port?

Are you using a cisco voip phone? some models like the 7970 have a 3 port switch built in. You will definitely want the switch port in access mode if you do not want people hanging devices off the phone switch port.

echelon360 Mon, 03/26/2007 - 19:31

I seem to not be gettig the desired results.

I have a Cisco AccessPoint connected to one of the edge switches. What i wanted to do was to test a feature whereby the following would occur.

-If a switchport detects several mac-addresses coming through that one designated port.Consider it a violation as either a user has plugged an unautorised switch/hub/ap.

-Proceed to shutdown the port

i loaded the following commands onto the port in qtn

switchport port-security maximum 3

switchport port-security violation shutdown

However, i noticed that even if i have 6 wireless users hanging off that one Cisco AccessPoint, the port doesn't detect these additional 6 mac-addresses. It still continues to just see on mac-address and that's of the Cisco AccessPoint.Thus it never notices a violation has occured.

Is there something more that i should be doing?

ericgarnel Tue, 03/27/2007 - 06:33

Do a show port-security on the switch. It should look similar to the following:

Zone1#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation

(Count) (Count) (Count)

----------------------------------------------------

Fa0/1 1 0 358

Fa0/2 1 0 0

Fa0/3 400 1 0

Fa0/4 400 0 0

Fa0/5 400 22 0

Fa0/6 1 1 0

Fa0/7 1 1 0

Fa0/8 1 0 0

If you look at Fa0/1, there were lots of violations, but current count is 0, while Fa0/3 - 5 have a max of 400 macs and there are 22 clients on port Fa0/5.

NOTE: I use restrict instead of shutdown for our needs.

Just out of curiosity, are you using lwapp access points? The reason I ask, is that with traditional access-points, you would see the additional client macs on the switch port as well , just like a wired switch or hub would do. We are running lwapp APs and we do not see additional client macs on the switch port connected to the AP, perhaps that mac- info is sent encrypted to the controller via Lwapp. For example: I have a Cisco 1020 by my desk with 2 laptops associated to it, but all I see when I do a sh mac-addr inter fa0/9 is the ethernet mac of the AP.

(Cisco Controller) >show client summary

Number of Clients................................ 16

00:14:a5:b8:87:7c PF_Atrium Probing N/A No 802.11b 1

00:14:a5:e1:18:d4 MRoom_15 Associated 1 Yes 802.11b 1

00:17:59:9f:63:ba lounge Associated 2 Yes 802.11b 1

00:17:59:9f:63:e0 lounge Associated 2 No 802.11b 1

So the switch has no knowledge of multiple macs on the port, but the controller has the info per AP. In essence, the AP cam(mac) table is tunneled thru lwapp to the controller and the switch does not know of it.

To prove my theory, I placed port security on the switch port connected to the AP

lounge#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

----------------------------------------------- Fa0/9 1 1 0 Restrict

I do not exceed the count.

Yet I have multiple clients on the AP

(Cisco Controller) >show client summary

00:02:2d:6b:b4:02 lounge Associated

00:13:ce:53:08:32 MRoom_15 Associated

00:13:ce:9e:8c:d6 PF_Atrium Probing

00:17:59:9f:63:ba lounge Associated

00:17:59:9f:63:c0 lounge Associated

So, if you are using lwapp, port-security will not limit users per AP then afterall.

If you are not, then the problem lies elsewhere. What is the output of

"sh port-security" and

"lounge>sh mac-address-table | include Fa0/..."

Actions

This Discussion

 

 

Trending Topics - Security & Network