Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Prevent access through an Access Point to internal network

Dear all

I would like to know how to protect network access from a rought Acess Point. Is it possible to work with port-security? I mean if I would use the sticky command in connection with the maximum allowed MAC addresses of 1 that no one would be able to access the network through the access point.

Thanks in advance for your help

Cheers, Remy

6 REPLIES
Hall of Fame Super Gold

Prevent access through an Access Point to internal network

That's not how you do it.

IF you detect a rogue WAP in your network you go and find it.  I don't believe there's any other way.

New Member

Prevent access through an Access Point to internal network

Hi leolaohoo

Thanks  for the fast reply. But is it not the case that you see more than one MAC address on the switchport when devices communicate through the Access Point?

Kind regards,

Remy

Hall of Fame Super Gold

Prevent access through an Access Point to internal network

Thanks  for the fast reply. But is it not the case that you see more than one MAC address on the switchport when devices communicate through the Access Point?

Ok, let's look at this way:  Let's say you enable one MAC address.  Let's say you also enable sticky MAC.  What would stop, say, a colleage from bringing in his on Kumbaya WAP and plugging it into your network?

Let's say that you replace a WAP, and only you know about the sticky MAC and you're on a cruise in the Bahamas?

Prevent access through an Access Point to internal network

Remy,

You could use port security on the ports that you know about, but you should shut the ports that you're not using in order to prevent someone connecting an AP to an unused port. Leo is right though. You wouldn't be able to use port security on an unused port because you either A.) have to know what mac addresses are coming into that port beforehand or B.) have to learn the addresses that are coming into that port by maximum addresses or sticky command. Even if you had port security set to 1 mac address, the AP would be able to use that.

Now you will be able to see clients off of the AP and they could trigger a security violation on the port and no one could pass traffic, but in reality you're still taking a chance. Shut your ports first if you can, and if not, you can set your port security to 1 address. Obviously the second option is going to cause more problems if you have users with phones, switches, etc. at their desk.

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Prevent access through an Access Point to internal network

Hi guys

Thanks a lot for your help. The problem is bit more complex, because we use dot1x witth a guest vlan. Thats the reason why I would like to use port security. Because everyone should be able to use the guest vlan, but should not be able to use a rought Acess Point.

Guys, thank you very much for your help.

I wish you a nice weekend

Cheers, Remy

Hall of Fame Super Gold

Prevent access through an Access Point to internal network

Because everyone should be able to use the guest vlan, but should not be able to use a rought Acess Point.

One of the most effective way to combat Rogue WAPs is to locate them.  Ethernet can be spliced very easily.

400
Views
0
Helpful
6
Replies
CreatePlease to create content