Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to block Internet sharing by MacBook on Cisco Switches Cisco Vulnerability

Hi everyone.

 

I have a issue, on my LAN we found a vulnerability, the MAC laptop (MacBook Pro) had a sharing internet  featuring. using Ethernet cable connected and you can share internet ussing AirPort to the other devices, you can configure the MAC as Access Point and make a NAT on the network.

 

I applied the port-security using max 2 mac address and switchport protect and spanning-tree bpduguard and traffic still passing. If you analyze the traffic you will only see the ip Ethernet cable, even apply the dhcp snoop give a IP address on devices connect to the MacBook.

 

Configuring port:

 

interface GigabitEthernet1/0/2
 description desk Mariano
 switchport access vlan 21
 switchport mode access
 switchport protected
 switchport block unicast
 switchport voice vlan 621
 switchport port-security maximum 2
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 10dd.b1d7.e1a2
 switchport port-security mac-address sticky a40c.c394.08ef vlan voice
 logging event spanning-tree
 logging event status
 srr-queue bandwidth share 10 10 60 20
 srr-queue bandwidth shape  10  0  0  0
 queue-set 2
 udld port aggressive
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 storm-control unicast level 1.00
 storm-control action shutdown
 spanning-tree portfast
 spanning-tree bpduguard enable
end

 

At this moment MacBook Pro share a 3 devices, and the local port only see 2 mac address (The MacBook and IP Telephony).

 

          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  21    10dd.b1d7.e1a2    STATIC      Gi1/0/2
 621    a40c.c394.08ef    STATIC      Gi1/0/2
Total Mac Addresses for this criterion: 2

 

Pls helpus, any body can see the problem.

 

 

Best Regards.

 

1 REPLY

Not sure if there is any

Not sure if there is any feature to prevent ad-hoc wireless networks originated from a user machine  from a Cisco Switch stand point of view, generally the User IT dept will create a GPO to disable ad-hoc networking on user wnic's or you have the wireless dept that keeps an eye on the any rogue AP's popping up in your network.

I am sure the Wireless Controllers now are capable of switchport tracing for rogue AP's and err-disable them as well.

Manish

263
Views
0
Helpful
1
Replies
CreatePlease login to create content