Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3611
Views
65
Helpful
10
Replies

802.1X in Trunk Links

Go to solution
simoesmarco8626982
Level 1
Level 1

‎01-20-2022 08:48 AM

Hi all,

 

hope to find everyone well

I found a topic from 2014 about this subject that stated that 802.1X couldn't be applied in trunk links, but I've read as well in a Cisco article that 802.1X could be applied in trunk links. Is this true?

I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?

 

Thank you

 

Kind regards

1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2022 09:01 AM

Personally i would not advise dot1x to Trunk or port-channel links.

 

I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?

what is the use case here, even though cisco switches connected each other, access ports still be 802.1X authentication right.

 

check guide lines :

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2022 09:01 AM

Personally i would not advise dot1x to Trunk or port-channel links.

 

I asked this because I needed to put to Cisco Catalyst 9000 connected to each other in trunk but to use 802.1X to authenticate with each other. Is this possible?

what is the use case here, even though cisco switches connected each other, access ports still be 802.1X authentication right.

 

check guide lines :

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-e/sec-usr-8021x-15-e-book/config-ieee-802x-pba.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
simoesmarco8626982
Level 1
Level 1
In response to balaji.bandi

‎01-20-2022 09:12 AM - edited ‎01-20-2022 09:13 AM

Thank you for the reply Balaji

 

The story is the following, I had the consultant requesting initially that all the links between switches should be encrypted and I was using macsec to do this. The issue is, the trunk links are connected to High Capacity radios 80Ghz (10Gbps), and these radios don't forward the macsec frames from one switch to the other switch on the other side, basically they act like a switch themselves.

Because I wasn't able to implement MacSec on the trunk links between switches due to the radios, the consultant came up with the idea of implementing 802.1X now when the network is already in production. 

So basically all the access ports now would use port authentication to authenticate the hosts and the trunk links would need to authenticate with the other switch as well.

Is this feasible? I never worked with 802.1X and only did some labs and I'm afraid of implementing all of this now in a production enviroment.

 

Thank you

 

Kind regards

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to simoesmarco8626982

‎01-20-2022 09:17 AM - edited ‎01-20-2022 09:17 AM

is the issue with only Access points  :

 

The IEEE 802.1X protocol is supported only on Layer 2 static-access ports, Layer 2 static-trunk ports, voice VLAN-enabled ports, and Layer 3 routed ports.

 


 

Note
Ethernet interfaces can be configured either as access ports or as trunk ports with the following specifications:

  • An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.

     

  • A trunk port can have two or more VLANs configured on the interface; it can carry traffic for several VLANs simultaneously.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
simoesmarco8626982
Level 1
Level 1
In response to balaji.bandi

‎01-20-2022 10:03 AM

Thank you Balaji.

If you don't mind me asking, why wouldn't you advise configuring dot1x in trunk links?

 

Thank you

 

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to simoesmarco8626982

‎01-20-2022 01:44 PM

@simoesmarco8626982 wrote:

why wouldn't you advise configuring dot1x in trunk links?

Because it does not make any sense. 

For 802.1x configured for Trunk links, this means that ALL MAC addresses heard from the Trunk link will be evaluated.  What happens if one of those MAC addresses is going to be misbehaving?  
Has anyone tried troubleshooting an 802.1x issue on a Trunk link?  It is extremely difficult.  

802.1x on each access ports makes it easy because troubleshooting and identifying is fairly "low key".  Shove 802.1x onto a Trunk link and things will get hairy very fast. 

Plus, add a wee bit of complexity by sticking a flapping client and watch the precious Catalyst 9k memory melt.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to simoesmarco8626982

‎01-20-2022 06:15 PM

hope @Leo Laohoo nailed with the answer...is there anything we can help more?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Massimo Baschieri
Level 3
Level 3
In response to balaji.bandi

‎01-20-2022 09:46 PM

Never tried it, but I've always been curious if it works:

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

Maybe it applies for this case.

Go to solution
simoesmarco8626982
Level 1
Level 1
In response to Massimo Baschieri

‎01-21-2022 01:16 AM

Thank you @Massimo Baschieri , the only issue is that is using Cisco ISE and the customer for what it needs to be done would never pay the amount cisco asks for the ISE. Taking that it would be an option

0 Helpful

Go to solution
simoesmarco8626982
Level 1
Level 1

‎01-21-2022 01:13 AM - edited ‎01-21-2022 01:17 AM

Thank you @Leo Laohoo @balaji.bandi 

 

great explanation, I will contact the consultant and have a word with him. I'm not going to apply a system that can literally kill the network if a mac starts flapping and that it has a great probability of making my life extremely hard. 

Thank you

I would ask the following tough, being MACSec impossible to apply and 802.1X being a time bomb, do you recommend any other way of protecting a trunk link from a man in the middle attack?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-24-2022 10:14 PM

This might interest you: Software Features in Cisco IOS XE Cupertino 17.7.1 > Serviceability

access-session host-mode multi-host peer

The command was modified. peer keyword was introduced. Use this command to enable authentication and authorization of a device before any other devices on the fabric edge port. Ensure that the extended node is the peer device that is connected to the fabric edge port.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents