https://community.cisco.com/t5/network-access-control/layer-2-port-channel-security/m-p/3216562#M547355 <P>Hi,</P> <P>I have 2 Cisco switches connected via a layer 2 port channel (trunk). LACP. 1 Catalyst 9300, 1 Catalyst 3650.</P> <P>&nbsp;</P> <P>I am trying to configure authentication between the switches on the port channel so that the 9300 will only allow that specific 3650 to connect on that port channel. This is because the 3650 is not in a secure location and anyone may be able to connect to that uplink.</P> <P>&nbsp;</P> <P>The switches won't let me do switchport port-security.</P> <P>What would be the best way to do this? I was thinking 802.1x with local authentication but I don't know if that would work or how to configure it.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Waqas</P> Fri, 21 Feb 2020 18:39:03 GMT waqas gondal 2020-02-21T18:39:03Z https://community.cisco.com/t5/network-access-control/layer-2-port-channel-security/m-p/3216562#M547355 <P>Hi,</P> <P>I have 2 Cisco switches connected via a layer 2 port channel (trunk). LACP. 1 Catalyst 9300, 1 Catalyst 3650.</P> <P>&nbsp;</P> <P>I am trying to configure authentication between the switches on the port channel so that the 9300 will only allow that specific 3650 to connect on that port channel. This is because the 3650 is not in a secure location and anyone may be able to connect to that uplink.</P> <P>&nbsp;</P> <P>The switches won't let me do switchport port-security.</P> <P>What would be the best way to do this? I was thinking 802.1x with local authentication but I don't know if that would work or how to configure it.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Waqas</P> Fri, 21 Feb 2020 18:39:03 GMT https://community.cisco.com/t5/network-access-control/layer-2-port-channel-security/m-p/3216562#M547355 waqas gondal 2020-02-21T18:39:03Z https://community.cisco.com/t5/network-access-control/layer-2-port-channel-security/m-p/3216938#M547356 <P>Hi&nbsp;<SPAN>Waqas,</SPAN></P> <P><SPAN>Your switches are the latest generation, you can use MACSec between the two switches. MACSec provides per-link authentication and encryption between the switches. I haven't tried this myself yet, but you should be able to do this. Have a look at this <A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/37e/consolidated_guide/b_37e_consolidated_3850_cg/b_37e_consolidated_3850_cg_chapter_01110101.html#task_CCBD6C0C4B07493BB5531708AE622C61" target="_self">document</A></SPAN></P> <P>Alternatively you could use NEAT, if you have ISE/ACS infrastructure and you authenticate your users with dot1x. Check this guide on <A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/sec-ieee-neat.pdf" target="_self">NEAT</A></P> <P>Regards,</P> <P>Agris</P> <P>&nbsp;</P> <P><SPAN>Please rate if helpful</SPAN></P> Wed, 15 Nov 2017 11:34:32 GMT https://community.cisco.com/t5/network-access-control/layer-2-port-channel-security/m-p/3216938#M547356 agrissimanis 2017-11-15T11:34:32Z https://community.cisco.com/t5/network-access-control/layer-2-port-channel-security/m-p/3217283#M547357 Thanks Wed, 15 Nov 2017 21:45:17 GMT https://community.cisco.com/t5/network-access-control/layer-2-port-channel-security/m-p/3217283#M547357 waqas gondal 2017-11-15T21:45:17Z