01-20-2022 08:48 AM
Hi all,
hope to find everyone well
I found a topic from 2014 about this subject that stated that 802.1X couldn't be applied in trunk links, but I've read as well in a Cisco article that 802.1X could be applied in trunk links. Is this true?
I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?
Thank you
Kind regards
Solved! Go to Solution.
01-20-2022 09:01 AM
Personally i would not advise dot1x to Trunk or port-channel links.
I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?
what is the use case here, even though cisco switches connected each other, access ports still be 802.1X authentication right.
check guide lines :
01-20-2022 09:01 AM
Personally i would not advise dot1x to Trunk or port-channel links.
I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?
what is the use case here, even though cisco switches connected each other, access ports still be 802.1X authentication right.
check guide lines :
01-20-2022 09:12 AM - edited 01-20-2022 09:13 AM
Thank you for the reply Balaji
The story is the following, I had the consultant requesting initially that all the links between switches should be encrypted and I was using macsec to do this. The issue is, the trunk links are connected to High Capacity radios 80Ghz (10Gbps), and these radios don't forward the macsec frames from one switch to the other switch on the other side, basically they act like a switch themselves.
Because I wasn't able to implement MacSec on the trunk links between switches due to the radios, the consultant came up with the idea of implementing 802.1X now when the network is already in production.
So basically all the access ports now would use port authentication to authenticate the hosts and the trunk links would need to authenticate with the other switch as well.
Is this feasible? I never worked with 802.1X and only did some labs and I'm afraid of implementing all of this now in a production enviroment.
Thank you
Kind regards
01-20-2022 09:17 AM - edited 01-20-2022 09:17 AM
is the issue with only Access points :
The IEEE 802.1X protocol is supported only on Layer 2 static-access ports, Layer 2 static-trunk ports, voice VLAN-enabled ports, and Layer 3 routed ports.
Note |
01-20-2022 10:03 AM
Thank you Balaji.
If you don't mind me asking, why wouldn't you advise configuring dot1x in trunk links?
Thank you
01-20-2022 01:44 PM
@simoesmarco8626982 wrote:
why wouldn't you advise configuring dot1x in trunk links?
Because it does not make any sense.
For 802.1x configured for Trunk links, this means that ALL MAC addresses heard from the Trunk link will be evaluated. What happens if one of those MAC addresses is going to be misbehaving?
Has anyone tried troubleshooting an 802.1x issue on a Trunk link? It is extremely difficult.
802.1x on each access ports makes it easy because troubleshooting and identifying is fairly "low key". Shove 802.1x onto a Trunk link and things will get hairy very fast.
Plus, add a wee bit of complexity by sticking a flapping client and watch the precious Catalyst 9k memory melt.
01-20-2022 06:15 PM
hope @Leo Laohoo nailed with the answer...is there anything we can help more?
01-20-2022 09:46 PM
Never tried it, but I've always been curious if it works:
https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html
Maybe it applies for this case.
01-21-2022 01:16 AM
Thank you @Massimo Baschieri , the only issue is that is using Cisco ISE and the customer for what it needs to be done would never pay the amount cisco asks for the ISE. Taking that it would be an option
01-21-2022 01:13 AM - edited 01-21-2022 01:17 AM
Thank you @Leo Laohoo @balaji.bandi
great explanation, I will contact the consultant and have a word with him. I'm not going to apply a system that can literally kill the network if a mac starts flapping and that it has a great probability of making my life extremely hard.
Thank you
I would ask the following tough, being MACSec impossible to apply and 802.1X being a time bomb, do you recommend any other way of protecting a trunk link from a man in the middle attack?
01-24-2022 10:14 PM
This might interest you: Software Features in Cisco IOS XE Cupertino 17.7.1 > Serviceability
access-session host-mode multi-host peer |
The command was modified. peer keyword was introduced. Use this command to enable authentication and authorization of a device before any other devices on the fabric edge port. Ensure that the extended node is the peer device that is connected to the fabric edge port. |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide