cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1420
Views
3
Helpful
10
Replies

Dynamic port blocking when connecting an AP

Hi guys,

I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Is there a spanning-tree or any other feature that can help me achive what I want?

Thanks in advance.

Regards,

Juan

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Hello Juan,

The command "spanning-tree bpduguard enable" will take care of that for you.  If for example some one connects a switch to that port it will take the port down.

HTH

Reza

Hello Reza,

Thank you for the answer. I know BPDU Guard will err-disable the port if it detects any BPDU packet comming into it, so if someone connects a switch, the port will come err-disable, but what if someone connects an Access Point? I have a 3750 with the configuration I attached on my first email and there is an unauthorized AP working on one of the ports of that switch... I need to know if there is a command to detect when someone connects an APs and err-disables the port dynamically. It seems that BPDU Guard does not work for this scenario.

Regards,

Juan

Hello Juan,

Not very familiar with APs but I would think it should be just like any other switch or hub.  When the port receives STP BPDU from the AP, it will disable it.

BTW, there was no attachment in your first post.

HTH

Reza

I thought exactly what you are saying that the port should be err-disable when you connect the AP but it didn´t happen... Here is the switchport configuration:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Gi1/0/30                     connected    27         a-full  a-100 10/100/1000BaseTX

Port status is CONNECTED, so it didn´t get blocked.

Unfortunately I don´t have access to the AP, so I can´t show you the AP´s config.

Regards,

Juan

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi guys,

I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Is there a spanning-tree or any other feature that can help me achive what I want?

Thanks in advance.

Regards,

Juan

Hi Juan,

Is your requirement is when ever somebody connects AP to your interface gi1/0/30 interface goes down or soomebody connects AP and access lan at that time ports goes in down state.

If first is the case then as you have 3750 switch then block the mac-address of AP which is known to you in switch port level by vlan acces-map configuration,check out the below link on the same.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Where as BPDU Gaurd will come to play only at the reception of BPDUs on that port, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console and i dont think AP's genrates BPDUs.

Hope to Help !!

Ganesh.H

Hi Ganesh,

Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...

Anyway, thank you very much for your time guys!

Hi Ganesh,

Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...

Anyway, thank you very much for your time guys!

Hi Juan,

switch port security will work in fashion when you encountered a mac which is more than that of the specified in interface command then it will act on the voilation prompt.I mean to say a trusted mac needs to be configured which can acces the port apart from this mac any other comes then port can be bring down.

check out the below link for switch port security configuration

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html#wp1047714

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

Hi Ganesh,

Thank you for your suggestions. Unfortunately, Cisco doesn´t support what I was looking for.

Regards,

Juan

Hi Ganesh,

Thank you for your suggestions. Unfortunately, Cisco doesn´t support what I was looking for.

Regards,

Juan

Hi Juan,

Agreed check out the below link hope it will be useful !!

http://www.airmagnet.com/assets/whitepaper/Rogue_Detection_White_Paper.pdf

Ganesh.H

Great document! thank you very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: