Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Dynamic port blocking when connecting an AP

Hi guys,

I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Is there a spanning-tree or any other feature that can help me achive what I want?

Thanks in advance.

Regards,

Juan

10 REPLIES
VIP Super Bronze

Re: Dynamic port blocking when connecting an AP

Hello Juan,

The command "spanning-tree bpduguard enable" will take care of that for you.  If for example some one connects a switch to that port it will take the port down.

HTH

Reza

Re: Dynamic port blocking when connecting an AP

Hello Reza,

Thank you for the answer. I know BPDU Guard will err-disable the port if it detects any BPDU packet comming into it, so if someone connects a switch, the port will come err-disable, but what if someone connects an Access Point? I have a 3750 with the configuration I attached on my first email and there is an unauthorized AP working on one of the ports of that switch... I need to know if there is a command to detect when someone connects an APs and err-disables the port dynamically. It seems that BPDU Guard does not work for this scenario.

Regards,

Juan

VIP Super Bronze

Re: Dynamic port blocking when connecting an AP

Hello Juan,

Not very familiar with APs but I would think it should be just like any other switch or hub.  When the port receives STP BPDU from the AP, it will disable it.

BTW, there was no attachment in your first post.

HTH

Reza

Re: Dynamic port blocking when connecting an AP

I thought exactly what you are saying that the port should be err-disable when you connect the AP but it didn´t happen... Here is the switchport configuration:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Gi1/0/30                     connected    27         a-full  a-100 10/100/1000BaseTX

Port status is CONNECTED, so it didn´t get blocked.

Unfortunately I don´t have access to the AP, so I can´t show you the AP´s config.

Regards,

Juan

Re: Dynamic port blocking when connecting an AP

Hi guys,

I´m looking for a way to block a switch port dynamically on a 3750 when someone connects an Access Point. I have the following configuration so far:

interface GigabitEthernet1/0/30
switchport access vlan 27
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
!

Is there a spanning-tree or any other feature that can help me achive what I want?

Thanks in advance.

Regards,

Juan

Hi Juan,

Is your requirement is when ever somebody connects AP to your interface gi1/0/30 interface goes down or soomebody connects AP and access lan at that time ports goes in down state.

If first is the case then as you have 3750 switch then block the mac-address of AP which is known to you in switch port level by vlan acces-map configuration,check out the below link on the same.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Where as BPDU Gaurd will come to play only at the reception of BPDUs on that port, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console and i dont think AP's genrates BPDUs.

Hope to Help !!

Ganesh.H

Re: Dynamic port blocking when connecting an AP

Hi Ganesh,

Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...

Anyway, thank you very much for your time guys!

Re: Dynamic port blocking when connecting an AP

Hi Ganesh,

Thank you for the reply. I think VLAN map-access and MAC ACLs are good options but that will work only if I know the AP´s MAC address (which I could get using the show mac-address & show arp commands). I also thought about port-security but I was looking more for a command that will cause the switch port to go immediately "err-disable" when someone connects an Access Point but it seems Cisco doesn´t have such a feature...

Anyway, thank you very much for your time guys!

Hi Juan,

switch port security will work in fashion when you encountered a mac which is more than that of the specified in interface command then it will act on the voilation prompt.I mean to say a trusted mac needs to be configured which can acces the port apart from this mac any other comes then port can be bring down.

check out the below link for switch port security configuration

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ewa/configuration/guide/port_sec.html#wp1047714

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

Re: Dynamic port blocking when connecting an AP

Hi Ganesh,

Thank you for your suggestions. Unfortunately, Cisco doesn´t support what I was looking for.

Regards,

Juan

Re: Dynamic port blocking when connecting an AP

Hi Ganesh,

Thank you for your suggestions. Unfortunately, Cisco doesn´t support what I was looking for.

Regards,

Juan

Hi Juan,

Agreed check out the below link hope it will be useful !!

http://www.airmagnet.com/assets/whitepaper/Rogue_Detection_White_Paper.pdf

Ganesh.H

Re: Dynamic port blocking when connecting an AP

Great document! thank you very much.

573
Views
3
Helpful
10
Replies
CreatePlease to create content