topic Best practice to secure port-channel interfaces not supporting 802.1x on access switches in Network Access Control

Best practice to secure port-channel interfaces not supporting 802.1x on access switches

Madura Malwatte — Thu, 11 Mar 2021 13:38:26 GMT

IOS and XE switches doesn't seem to support 802.1x on etherchannel interfaces. What is the best practice/recommendation to secure these ports (etherchannel interfaces) to stop someone from plugging in unauthorized devices?

Re: Best practice to secure port-channel interfaces not supporting 802.1x on access switches

Filip Po — Thu, 11 Mar 2021 14:07:44 GMT

I think you can use a switch-port security by static/sticky mac address learning.

But only, when port isn't trunk but access.

If someone plug in with wrong mac adress, port should be disabled.

Other config to apply should be MACsec.

Re: Best practice to secure port-channel interfaces not supporting 802.1x on access switches

Leo Laohoo — Thu, 11 Mar 2021 21:07:20 GMT

@Madura Malwatte wrote:

IOS and XE switches doesn't seem to support 802.1x on etherchannel interfaces.

Etherchannel ports should never support 802.1x.

@Madura Malwatte wrote:

What is the best practice/recommendation to secure these ports (etherchannel interfaces) to stop someone from plugging in unauthorized devices?

Most important is if any person can physically access the access switches then it is "game over".

Lock the cabinets down to stop people from unpatching ethterchannel connection(s) to other ports. Put CCTV to make sure people are identified correctly.