Confusion With Port Security
aderon
Member Posts: 404 ■■■■□□□□□□
in CCNA & CCENT
Hi all! So I've been reading about Port Security and how you can limit the number of MAC addresses per port. One of the examples the CBTNugget gives is a WAP connected to a switch. If you limit your max number of MAC addresses to 1, then only the WAP would be allowed to use the switch, but any of the wireless connections into the WAP would not.
But, from how I understand it, the data link layer frame is stripped and recreated between each device. So say I had the following:
Wireless PC: MAC address = 1111.1111.1111
WAP: MAC address = 2222.2222.2222
Switch: MAC address = 3333.3333.3333
Wireless PC --> WAP --> Switch
Then as the packet travels across the network, wouldn't the frames look something like this?:
From PC to WAP
Source MAC: 1111.1111.1111
Destination MAC: 2222.2222.2222
From WAP to Switch
Source MAC: 2222.2222.2222
Destination MAC: 3333.3333.3333
So I guess my question is how could you ever have the switch see anything other than 2222.2222.2222 as the MAC address coming into the port? Wouldn't it always just see the MAC address of the WAP and nothing else? What is the need to limit the number of MAC addresses in this scenario, if it will only see the MAC address of the most immediately connected device?
But, from how I understand it, the data link layer frame is stripped and recreated between each device. So say I had the following:
Wireless PC: MAC address = 1111.1111.1111
WAP: MAC address = 2222.2222.2222
Switch: MAC address = 3333.3333.3333
Wireless PC --> WAP --> Switch
Then as the packet travels across the network, wouldn't the frames look something like this?:
From PC to WAP
Source MAC: 1111.1111.1111
Destination MAC: 2222.2222.2222
From WAP to Switch
Source MAC: 2222.2222.2222
Destination MAC: 3333.3333.3333
So I guess my question is how could you ever have the switch see anything other than 2222.2222.2222 as the MAC address coming into the port? Wouldn't it always just see the MAC address of the WAP and nothing else? What is the need to limit the number of MAC addresses in this scenario, if it will only see the MAC address of the most immediately connected device?
2019 Certification/Degree Goals: AWS CSA Renewal (In Progress), M.S. Cybersecurity (In Progress), CCNA R&S Renewal (Not Started)
Comments
-
Codeman6669
Member Posts: 227
i cant speak specifically for cisco AP's but most AP's have mac filtering on the AP which could limit who can and cannot connect -
Heero
Member Posts: 486
But, from how I understand it, the data link layer frame is stripped and recreated between each device.
It is completely re-created at each LAYER 3 hop. Between layer 2 a basic switch won't modify anything. Switches doing more complicated things might alter the frame though, such as adding a dot1q tag or modifying QoS value, and then it would recalculate the FCS as well. -
d4nz1g
Member Posts: 464
It is completely re-created at each LAYER 3 hop. Between layer 2 a basic switch won't modify anything. Switches doing more complicated things might alter the frame though, such as adding a dot1q tag or modifying QoS value, and then it would recalculate the FCS as well.
This.
From your pc all the way through your gateway (pc - ap - switch) there is only layer 2 communication. No need to change frame headers. -
aderon
Member Posts: 404 ■■■■□□□□□□
Ahhh ok that makes more sense then. thanks!2019 Certification/Degree Goals: AWS CSA Renewal (In Progress), M.S. Cybersecurity (In Progress), CCNA R&S Renewal (Not Started)