Whats the best way to prevent a user from plugging an AP to any of the Access switches?Is there a feature i can use on the switch that will disable the port instantly it detects an AP is being plugged in?
There are a lot of options, many depend on your environment.
Here is what I do to start with:
develop a template for host ports
switchport access vlan 23
switchport mode access
switchport port-security aging time 5
switchport port-security violation restrict
srr-queue bandwidth limit 70
power inline never
no mdix auto
no cdp enable
storm-control broadcast level 10.0
storm-control multicast level 40.00
storm-control unicast level 70.00
storm-control action shutdown
spanning-tree bpduguard enable
ip dhcp snooping vlan 23
ip dhcp snooping
enable ip dhcp snooping trust on ports that connect back to dhcp server - ie: trunk ports
You can also enable ip arp inspection, but do so with planning & caution
if you know the mac of the host, you can enter it into the port-security parameters. Note, by default port-security max is 1 by default, An ap will appear like a hub or switch connected to your switch in which you may see multiple mac on the same switch port.
These are just a few parameters that can be set, but it really depends on your environment
So i could essentially configure port security with a max of 3 (to cater for VOIP).That way, if someone plugs in an AP in that same port,it will disable given the fact that several mac addresses will flood through that very same port once the AP is live.
Also, to add on to this. Will using the "set port host" command work as well?From what i understand, running this command on a given port sets the port up in such a way where it can only accept connections from a workstation and nothing else.
Yes, but I believe "set port host" is CatOS, the IOS equivilent is "switchport host" Both are essentially macros that set the port to access mode and spanning-tree portfast. It can be typed in as little as 4 letters "sw ho" You could go as far as to write your own macro that adds switchport access vlan ..(your vlan) as well. setting the port to access mode is an important step, but adding ip dhcp snooping protection and port security further enhance the security.
If you set the max to 3, only 3 devices will be able to connect. Port security will not protect against someone plugging in a router doing nat. The router will do an inline mac rewrite on traffic coming thru it so that all traffic coming thru it appears as the routers' interface that is plugged into your switch.
When you say "cater to VOIP", are you planning on putting an ip phone on the port?
Are you using a cisco voip phone? some models like the 7970 have a 3 port switch built in. You will definitely want the switch port in access mode if you do not want people hanging devices off the phone switch port.
I have a Cisco AccessPoint connected to one of the edge switches. What i wanted to do was to test a feature whereby the following would occur.
-If a switchport detects several mac-addresses coming through that one designated port.Consider it a violation as either a user has plugged an unautorised switch/hub/ap.
-Proceed to shutdown the port
i loaded the following commands onto the port in qtn
switchport port-security maximum 3
switchport port-security violation shutdown
However, i noticed that even if i have 6 wireless users hanging off that one Cisco AccessPoint, the port doesn't detect these additional 6 mac-addresses. It still continues to just see on mac-address and that's of the Cisco AccessPoint.Thus it never notices a violation has occured.
If you look at Fa0/1, there were lots of violations, but current count is 0, while Fa0/3 - 5 have a max of 400 macs and there are 22 clients on port Fa0/5.
NOTE: I use restrict instead of shutdown for our needs.
Just out of curiosity, are you using lwapp access points? The reason I ask, is that with traditional access-points, you would see the additional client macs on the switch port as well , just like a wired switch or hub would do. We are running lwapp APs and we do not see additional client macs on the switch port connected to the AP, perhaps that mac- info is sent encrypted to the controller via Lwapp. For example: I have a Cisco 1020 by my desk with 2 laptops associated to it, but all I see when I do a sh mac-addr inter fa0/9 is the ethernet mac of the AP.
(Cisco Controller) >show client summary
Number of Clients................................ 16
00:14:a5:b8:87:7c PF_Atrium Probing N/A No 802.11b 1
00:17:59:9f:63:e0 lounge Associated 2 No 802.11b 1
So the switch has no knowledge of multiple macs on the port, but the controller has the info per AP. In essence, the AP cam(mac) table is tunneled thru lwapp to the controller and the switch does not know of it.
To prove my theory, I placed port security on the switch port connected to the AP
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...