Solved: Layer 2 port channel security

waqas gondal · ‎11-14-2017

Hi,

I have 2 Cisco switches connected via a layer 2 port channel (trunk). LACP. 1 Catalyst 9300, 1 Catalyst 3650.

I am trying to configure authentication between the switches on the port channel so that the 9300 will only allow that specific 3650 to connect on that port channel. This is because the 3650 is not in a secure location and anyone may be able to connect to that uplink.

The switches won't let me do switchport port-security.

What would be the best way to do this? I was thinking 802.1x with local authentication but I don't know if that would work or how to configure it.

Thanks,

Waqas

agrissimanis · ‎11-15-2017

Hi Waqas,

Your switches are the latest generation, you can use MACSec between the two switches. MACSec provides per-link authentication and encryption between the switches. I haven't tried this myself yet, but you should be able to do this. Have a look at this document

Alternatively you could use NEAT, if you have ISE/ACS infrastructure and you authenticate your users with dot1x. Check this guide on NEAT

Regards,

Agris

Please rate if helpful

View solution in original post

agrissimanis · ‎11-15-2017