cancel
Showing results for 
Search instead for 
Did you mean: 

Mac Security

Dejeh1
New Contributor

How do I configure switch port mac security on a switch connected to a Ruckus R550 Access Point without the switch learning the mac addresses of devices connected to the access point? 

6 REPLIES 6

Hi Dejeh1, 

Adding on to the details shared, based on the requirements, where :
> if the operation is that on a port only the connected [ specific ] AP should work
> any other device or AP should be blocked on that given port.
> clients connected to the permitted AP should pass through with no second authentication or security check on the switch.

Then you could go for mac-auth for the APs on the said ports where APs are/would be connected. 
where only the permitted APs will be allowed to connect across. any other device on that port wont be allowed, and with single-host mode only AP will be authenticated, rest of the clients comming off the AP will be able to go through with no issues. 

Link for further reading on the single-host auth mode : 
https://docs.commscope.com/bundle/fastiron-08095-securityguide/page/GUID-55419E4A-017B-42A1-9BC0-F30...

and the same can be scalled, to be applied to the rest of the ports as well if necessary or selected ports only and have the rest configured as needed. 

Here however the MAC learn will still happen for all device(s) communicating via that port, howver the communication will only work given the AP connected is allowed via the auth.


Let us know your thoughts on the matter.

Chandini
RUCKUS Team Member

Hi Dejeh1,

Thank you for reaching us

"What I'm trying to achieve is a situation where only the First Access point connected to that switch port Mac address will be learned by the switch, if another Access point is connected to that same switch port it will block. But so far, the switch port learns both the Access point Mac address and every user connected to the Access point Mac address and we don't want this.  "

Based on the above statement below is what I could understand 

  • 1st AP mac address should be learnt
  • 2nd AP mac address should not be learnt and should be blocked 
  • But switch learns both AP mac address and all user mac details connected to both AP's.

I suppose the above would be difficult to achieve below is the reason why

  • For the AP to operated and communicate with the network the mac address of the AP device or any device which is connected to the switch would be learnt , so if AP is connected on a port of the switch, it will learn the AP mac address. So I suppose when compared to your scenario since there are two AP then both AP mac address is learnt on the switch , we can understand here its working as designed.
  • When a user is connected on Wifi the user connection would move from one AP to another automatically based on the user movement, so mac address would also be learnt on the AP in the same way. It would be difficult to understand between which AP user is roaming and how he is connecting. 

If you what only one AP to be used per switch , you can connect only one AP and remaining free ports you can choose to disable so that when a user connects another AP he would have no access to the network. And on ports where you have a wired connection to PC or other device which is not a AP device you can configure secure-mac-address max 1 per port.

I hope this helps

Thanks