Dynamic port blocking when connecting an AP

Unanswered Question
Mar 10th, 2010

Hi guys,

I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Is there a spanning-tree or any other feature that can help me achive what I want?

Thanks in advance.

Regards,

Juan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Reza Sharifi Wed, 03/10/2010 - 06:21

Hello Juan,

The command "spanning-tree bpduguard enable" will take care of that for you.  If for example some one connects a switch to that port it will take the port down.

HTH

Reza

Juan Pablo Corr... Wed, 03/10/2010 - 06:33

Hello Reza,

Thank you for the answer. I know BPDU Guard will err-disable the port if it detects any BPDU packet comming into it, so if someone connects a switch, the port will come err-disable, but what if someone connects an Access Point? I have a 3750 with the configuration I attached on my first email and there is an unauthorized AP working on one of the ports of that switch... I need to know if there is a command to detect when someone connects an APs and err-disables the port dynamically. It seems that BPDU Guard does not work for this scenario.

Regards,

Juan

Reza Sharifi Wed, 03/10/2010 - 07:23

Hello Juan,

Not very familiar with APs but I would think it should be just like any other switch or hub.  When the port receives STP BPDU from the AP, it will disable it.

BTW, there was no attachment in your first post.

HTH

Reza

Juan Pablo Corr... Wed, 03/10/2010 - 07:37

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I thought exactly what you are saying that the port should be err-disable when you connect the AP but it didn´t happen... Here is the switchport configuration:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Gi1/0/30                     connected    27         a-full  a-100 10/100/1000BaseTX

Port status is CONNECTED, so it didn´t get blocked.

Unfortunately I don´t have access to the AP, so I can´t show you the AP´s config.

Regards,

Juan

Ganesh Hariharan Wed, 03/10/2010 - 07:48

Hi guys,

I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Is there a spanning-tree or any other feature that can help me achive what I want?

Thanks in advance.

Regards,

Juan

Hi Juan,

Is your requirement is when ever somebody connects AP to your interface gi1/0/30 interface goes down or soomebody connects AP and access lan at that time ports goes in down state.

If first is the case then as you have 3750 switch then block the mac-address of AP which is known to you in switch port level by vlan acces-map configuration,check out the below link on the same.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Where as BPDU Gaurd will come to play only at the reception of BPDUs on that port, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console and i dont think AP's genrates BPDUs.

Hope to Help !!

Ganesh.H

Juan Pablo Corr... Wed, 03/10/2010 - 08:22

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hi Ganesh,

Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...

Anyway, thank you very much for your time guys!
Ganesh Hariharan Wed, 03/10/2010 - 08:45

Hi Ganesh,

Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...

Anyway, thank you very much for your time guys!

Hi Juan,

switch port security will work in fashion when you encountered a mac which is more than that of the specified in interface command then it will act on the voilation prompt.I mean to say a trusted mac needs to be configured which can acces the port apart from this mac any other comes then port can be bring down.

check out the below link for switch port security configuration

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html#wp1047714

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

Juan Pablo Corr... Wed, 03/10/2010 - 09:02

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Hi Ganesh,

Thank you for your suggestions. Unfortunately, Cisco doesn´t support what I was looking for.

Regards,

Juan

Actions

This Discussion