Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Port security for a access port

Hello everyone.

Im building a setup where i have a C2960 switch connected to a Cisco AP-1142.

The switch and access point will have 2 vlans, one for business use and one for guests (internet only).

So between the switch and the AP i plan to have a dot1q trunk.

Im worried that somebody who is connected to the guest network (which has a password anyone can get from the reception) can execute a cam overflow attack which will overload the switch.

What feature would you suggest that would prevent this?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Port security for a access port

Port security will allow you to limit the number of MAC addresses learned on that switchport but its difficult to implement for an Access Point port because its going to have lots of MAC addresses depending on the amount of Wifi users connected.

How many are you expecting to connect roughly?

You could enable port security and set the Maximum to something like 25 or 50 and combine this with an aging time so the switch removed the learned MAC addresses once they have become inactive for X amount of seconds.

Hall of Fame Super Blue

Re: Port security for a access port

You need to look into DHCP snooping together wtih Dynamic Arp Inspection (DAI) for this.

Basically DHCP snooping listens in to the DHCP requests and builds a table of IP to mac bindings. DAI then listens to all arp requests and verifies than the IP to mac mappings are valid ie. they are in the DHCP snooping database. If they are not then they are not allowed.

If you configure a static IP on the client the traffic will not be allowed because there is no entry for it in the DHCP snooping database.

If you do need to allow certain static IPs you can manually add these so that they are not dropped.

See this link for details. The chapter linked to is for DHCP snooping and the next chapter is for DAI -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

see also this white paper -

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html

Jon

2 REPLIES

Port security for a access port

Port security will allow you to limit the number of MAC addresses learned on that switchport but its difficult to implement for an Access Point port because its going to have lots of MAC addresses depending on the amount of Wifi users connected.

How many are you expecting to connect roughly?

You could enable port security and set the Maximum to something like 25 or 50 and combine this with an aging time so the switch removed the learned MAC addresses once they have become inactive for X amount of seconds.

Hall of Fame Super Blue

Re: Port security for a access port

You need to look into DHCP snooping together wtih Dynamic Arp Inspection (DAI) for this.

Basically DHCP snooping listens in to the DHCP requests and builds a table of IP to mac bindings. DAI then listens to all arp requests and verifies than the IP to mac mappings are valid ie. they are in the DHCP snooping database. If they are not then they are not allowed.

If you configure a static IP on the client the traffic will not be allowed because there is no entry for it in the DHCP snooping database.

If you do need to allow certain static IPs you can manually add these so that they are not dropped.

See this link for details. The chapter linked to is for DHCP snooping and the next chapter is for DAI -

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_55_se/configuration/guide/swdhcp82.html

see also this white paper -

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.html

Jon

274
Views
0
Helpful
2
Replies
CreatePlease to create content