topic Re: 802.1X in Trunk Links in Network Access Control

802.1X in Trunk Links

simoesmarco8626982 — Thu, 20 Jan 2022 16:48:47 GMT

Hi all,

hope to find everyone well

I found a topic from 2014 about this subject that stated that 802.1X couldn't be applied in trunk links, but I've read as well in a Cisco article that 802.1X could be applied in trunk links. Is this true?

I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?

Thank you

Kind regards

Re: 802.1X in Trunk Links

balaji.bandi — Thu, 20 Jan 2022 17:01:39 GMT

Personally i would not advise dot1x to Trunk or port-channel links.

I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?

what is the use case here, even though cisco switches connected each other, access ports still be 802.1X authentication right.

check guide lines :

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html

Re: 802.1X in Trunk Links

simoesmarco8626982 — Thu, 20 Jan 2022 17:13:35 GMT

Thank you for the reply Balaji

The story is the following, I had the consultant requesting initially that all the links between switches should be encrypted and I was using macsec to do this. The issue is, the trunk links are connected to High Capacity radios 80Ghz (10Gbps), and these radios don't forward the macsec frames from one switch to the other switch on the other side, basically they act like a switch themselves.

Because I wasn't able to implement MacSec on the trunk links between switches due to the radios, the consultant came up with the idea of implementing 802.1X now when the network is already in production.

So basically all the access ports now would use port authentication to authenticate the hosts and the trunk links would need to authenticate with the other switch as well.

Is this feasible? I never worked with 802.1X and only did some labs and I'm afraid of implementing all of this now in a production enviroment.

Thank you

Kind regards

Re: 802.1X in Trunk Links

balaji.bandi — Thu, 20 Jan 2022 17:17:52 GMT

is the issue with only Access points :

The IEEE 802.1X protocol is supported only on Layer 2 static-access ports, Layer 2 static-trunk ports, voice VLAN-enabled ports, and Layer 3 routed ports.

Note

Ethernet interfaces can be configured either as access ports or as trunk ports with the following specifications:

An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.
A trunk port can have two or more VLANs configured on the interface; it can carry traffic for several VLANs simultaneously.

Re: 802.1X in Trunk Links

simoesmarco8626982 — Thu, 20 Jan 2022 18:03:20 GMT

Thank you Balaji.

If you don't mind me asking, why wouldn't you advise configuring dot1x in trunk links?

Thank you

Re: 802.1X in Trunk Links

Leo Laohoo — Thu, 20 Jan 2022 21:44:03 GMT

@simoesmarco8626982 wrote:

why wouldn't you advise configuring dot1x in trunk links?

Because it does not make any sense.

For 802.1x configured for Trunk links, this means that ALL MAC addresses heard from the Trunk link will be evaluated. What happens if one of those MAC addresses is going to be misbehaving?
Has anyone tried troubleshooting an 802.1x issue on a Trunk link? It is extremely difficult.

802.1x on each access ports makes it easy because troubleshooting and identifying is fairly "low key". Shove 802.1x onto a Trunk link and things will get hairy very fast.

Plus, add a wee bit of complexity by sticking a flapping client and watch the precious Catalyst 9k memory melt.

Re: 802.1X in Trunk Links

balaji.bandi — Fri, 21 Jan 2022 02:15:54 GMT

hope @Leo Laohoo nailed with the answer...is there anything we can help more?

Re: 802.1X in Trunk Links

Massimo Baschieri — Fri, 21 Jan 2022 05:46:11 GMT

Never tried it, but I've always been curious if it works:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

Maybe it applies for this case.

Re: 802.1X in Trunk Links

simoesmarco8626982 — Fri, 21 Jan 2022 09:17:23 GMT

Thank you @Leo Laohoo @balaji.bandi

great explanation, I will contact the consultant and have a word with him. I'm not going to apply a system that can literally kill the network if a mac starts flapping and that it has a great probability of making my life extremely hard.

Thank you

I would ask the following tough, being MACSec impossible to apply and 802.1X being a time bomb, do you recommend any other way of protecting a trunk link from a man in the middle attack?

Re: 802.1X in Trunk Links

simoesmarco8626982 — Fri, 21 Jan 2022 09:16:40 GMT

Thank you @Massimo Baschieri , the only issue is that is using Cisco ISE and the customer for what it needs to be done would never pay the amount cisco asks for the ISE. Taking that it would be an option

Re: 802.1X in Trunk Links

hslai — Tue, 25 Jan 2022 06:14:29 GMT

This might interest you: Software Features in Cisco IOS XE Cupertino 17.7.1 > Serviceability

access-session host-mode multi-host peer

The command was modified. peer keyword was introduced. Use this command to enable authentication and authorization of a device before any other devices on the fabric edge port. Ensure that the extended node is the peer device that is connected to the fabric edge port.