Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1632
Views
5
Helpful
2
Replies

Best practice to secure port-channel interfaces not supporting 802.1x on access switches

Go to solution
Madura Malwatte
Level 4
Level 4

‎03-11-2021 05:38 AM

IOS and XE switches doesn't seem to support 802.1x on etherchannel interfaces. What is the best practice/recommendation to secure these ports (etherchannel interfaces) to stop someone from plugging in unauthorized devices?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-11-2021 01:07 PM

@Madura Malwatte wrote:

IOS and XE switches doesn't seem to support 802.1x on etherchannel interfaces.

Etherchannel ports should never support 802.1x. 

@Madura Malwatte wrote:

What is the best practice/recommendation to secure these ports (etherchannel interfaces) to stop someone from plugging in unauthorized devices?

Most important is if any person can physically access the access switches then it is "game over".

Lock the cabinets down to stop people from unpatching ethterchannel connection(s) to other ports.  Put CCTV to make sure people are identified correctly.  

View solution in original post

2 Replies 2

Go to solution
Filip Po
Level 1
Level 1

‎03-11-2021 06:07 AM

I think you can use a switch-port security by static/sticky mac address learning.

But only, when port isn't trunk but access.

If someone plug in with wrong mac adress, port should be disabled.

Other config to apply should be MACsec.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-11-2021 01:07 PM

@Madura Malwatte wrote:

IOS and XE switches doesn't seem to support 802.1x on etherchannel interfaces.

Etherchannel ports should never support 802.1x. 

@Madura Malwatte wrote:

What is the best practice/recommendation to secure these ports (etherchannel interfaces) to stop someone from plugging in unauthorized devices?

Most important is if any person can physically access the access switches then it is "game over".

Lock the cabinets down to stop people from unpatching ethterchannel connection(s) to other ports.  Put CCTV to make sure people are identified correctly.  

Customers Also Viewed These Support Documents