03-10-2010 06:10 AM - edited 03-06-2019 10:05 AM
Hi guys,
I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:
interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
Is there a spanning-tree or any other feature that can help me achive what I want?
Thanks in advance.
Regards,
Juan
03-10-2010 06:21 AM
Hello Juan,
The command "spanning-tree bpduguard enable" will take care of that for you. If for example some one connects a switch to that port it will take the port down.
HTH
Reza
03-10-2010 06:33 AM
Hello Reza,
Thank you for the answer. I know BPDU Guard will err-disable the port if it detects any BPDU packet comming into it, so if someone connects a switch, the port will come err-disable, but what if someone connects an Access Point? I have a 3750 with the configuration I attached on my first email and there is an unauthorized AP working on one of the ports of that switch... I need to know if there is a command to detect when someone connects an APs and err-disables the port dynamically. It seems that BPDU Guard does not work for this scenario.
Regards,
Juan
03-10-2010 07:23 AM
Hello Juan,
Not very familiar with APs but I would think it should be just like any other switch or hub. When the port receives STP BPDU from the AP, it will disable it.
BTW, there was no attachment in your first post.
HTH
Reza
03-10-2010 07:37 AM
I thought exactly what you are saying that the port should be err-disable when you connect the AP but it didn´t happen... Here is the switchport configuration:
interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!
Gi1/0/30 connected 27 a-full a-100 10/100/1000BaseTX
Port status is CONNECTED, so it didn´t get blocked.
Unfortunately I don´t have access to the AP, so I can´t show you the AP´s config.
Regards,
Juan
03-10-2010 07:48 AM
Hi guys,
I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:
interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!Is there a spanning-tree or any other feature that can help me achive what I want?
Thanks in advance.
Regards,
Juan
Hi Juan,
Is your requirement is when ever somebody connects AP to your interface gi1/0/30 interface goes down or soomebody connects AP and access lan at that time ports goes in down state.
If first is the case then as you have 3750 switch then block the mac-address of AP which is known to you in switch port level by vlan acces-map configuration,check out the below link on the same.
Where as BPDU Gaurd will come to play only at the reception of BPDUs on that port, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console and i dont think AP's genrates BPDUs.
Hope to Help !!
Ganesh.H
03-10-2010 08:22 AM
Hi Ganesh,
Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...
Anyway, thank you very much for your time guys!03-10-2010 08:45 AM
Hi Ganesh,
Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...
Anyway, thank you very much for your time guys!
Hi Juan,
switch port security will work in fashion when you encountered a mac which is more than that of the specified in interface command then it will act on the voilation prompt.I mean to say a trusted mac needs to be configured which can acces the port apart from this mac any other comes then port can be bring down.
check out the below link for switch port security configuration
Hope to Help !!
Remember to rate the helpful post
Ganesh.H
03-10-2010 09:02 AM
Hi Ganesh,
Thank you for your suggestions. Unfortunately, Cisco doesn´t support what I was looking for.
Regards,
Juan
03-10-2010 09:18 AM
Hi Ganesh,
Thank you for your suggestions. Unfortunately, Cisco doesn´t support what I was looking for.
Regards,
Juan
Hi Juan,
Agreed check out the below link hope it will be useful !!
http://www.airmagnet.com/assets/whitepaper/Rogue_Detection_White_Paper.pdf
Ganesh.H
03-10-2010 09:35 AM
Great document! thank you very much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: