Port Security?

sfe Posts: 2
edited August 2022 in Switch
I have an WIFI AP in a outside place which is connected by LAN to the Zyxel 1900-24E.

I want to limit this Port to only accept that specific Wifi AP and not anything else if somebody would unplug the AP and connect another device.

So I activated Port Security and added the MAC of the AP to the list.

However the GS1900 also blocks now any MAC of Wifi clients that are connected to the AP. 
I thought the Port Security is only valid for a physical cable connection to the port and not also for WIFI clients MACs that are now blocked.

Is there an alternate config possibility that works for my scenario?

Thank you

All Replies

  • PeterUK
    PeterUK Posts: 2,969  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    edited August 2022

    Its not possible and nothing is stopping anyone one from using the MAC of the AP in place of the AP any way.

    I guess what you really want is to have clients MACs use the AP MAC as source to the router but then the AP would have to do DHCP.

  • sfe
    sfe Posts: 2
    edited August 2022
    Well I know it is not 100% secure in the end.
    Nevertheless I just want to avoid the scenario of somebody just quickly trying to use the port. Mac spoofing or is somebody really wants it .... so be it.

    I also do not mind any Clients that are connected to the Wifi AP getting access. That I solve differently.

    I look to limit the Wired / Physicial connection of that Port to allow either
    - only that one wired Client/Mac adress to be allowed (but still allow all clients connected to the AP)
    - or in case the port was DOWN (unplugged) to not reactivate it again automatically (this is the less preferred solution however) ;-)

  • mMontana
    mMontana Posts: 1,350  Guru Member
    Community MVP First Anniversary 10 Comments Friend Collector
    A different approach might be the use of vLANs.
    AP and subsequent clients should be working on a tagged vLAN, and the switch should also bind an untagged vLAN completely disconnected from any other device.
    If a unwanted device connects to the port, won't be able to access anything else that the untagged vLAN configured.
    Might be quite an overkill for that? Yes, it could.
  • Zyxel_Melen
    Zyxel_Melen Posts: 1,902  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @sfe,

    Just like @mMontana said, you could create a tagged VLAN for AP and clients, and other VLANs should be forbidden on the port.
    If other users connect devices to the port, they would not be able to access the network since the device is using a forbidden VLAN.