Flex Connect AP deployment with port security - should it be done ?

philip.koch · ‎03-29-2022

currently running port security in AP's operating in local mode..

the requirement is to move AP into Flex mode and change to Trunk on SW port to allow local vlan swithing for Corp .1x SSID; remaining SSID's will stay centrally switched.

If AP is changed to Flex Mode and SW port security remains - what is the implication for the corp wifi client operating on the secured switchport - will double auth occur and does the port security max # need to be removed for many mac addresses to operate on that port.

there is a current cisco link which seems to indicate .1x secure port can be used by the AP to send tagged traffic

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200492-Securing-a-flexconnect-AP-switchport-wit.html

but it doesnt mention specific sw port settings ...

Current secure AP switchport is attached

ammahend · ‎03-29-2022

if the authentication for flexconnect is central (which most likely would be), then all clients authentication traffic will be sent to controller over capwap and will only authenticate one and not twice (if that's what you were asking) and data plane will be sent to local switch.

you would also want to add "authentication host-mode multi-host" command.

No port security on AP port, switch will see connected client mac on AP port.

-hope this helps-

philip.koch · ‎03-29-2022

Hi Ammahend,

as per last line in reply " No port security on AP port, switch will see connected client mac on AP port."

are you saying the AP switchport should not be confiugered for port security ? ie: just a normal trunk port with native vlan.

Cheers

ammahend · ‎03-29-2022

are you saying the AP switchport should not be confiugered for port security ? ie: just a normal trunk port with native vlan.

Yes Sir.

-hope this helps-

Arshad Safrulla · ‎03-30-2022

Wireless client DOT1X authentication will happen only at WLC or AP (depending on the AAA configuration), why do you want to authenticate the user again at switch level? All the L2 security are taken care by WLC or AP itself (again depending on the configuration)

As per the documentation you shared you are already securing the switchport by enabling DOT1X for the connecting AP.

I really do not see any gains by enabling port security on the Flex Connect AP connecting switchport when you have already covered most of the attack vectors. If you think there is any I would like to know the attack and the methodology

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

philip.koch · ‎03-30-2022

Thanks for the reply , I think some may misunderstand the initial question.
Remote site AP's (local mode to WLC) are already operating with port security in place.
Client now wishes to move the AP mode from local to flex - allowing for corp data to be locally switched for SDWAN support in the near future.
The question is - can the AP's be moved to Flex connect using the current SW port config or does the current config need to change eg: remove the "switchport port-security maximum 3"

OR should port security be fully removed from all remote site AP ports - and just run a normal trunk with native .

Arshad Safrulla · ‎03-30-2022

It depends on how you switches the traffic up n SSID’s. If all are switched centrally then you don’t need to do any changes. But incase you have SSID’s switched locally then you need to change it to a trunk and remove the port security.
While you can enable certain port security features it may break lot of services.

1. clients will not be able to roam from one ap to another
2. Maximum clients connecting to the ap will be limited if maximum Mac address limit reached etc.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

philip.koch · ‎03-30-2022

Thankyou ,

One SSID is to be locally switched - which is the reason to go flex.
We are going to do some testing , but it does seem to be common consensus - remove port security on the AP ports and run as standard config trunk with native.
Also , there is some concern about client AP roaming and MACs appearing on new SW ports , the plan was to also remove port sec max #.
I may publish results of testing if we get that far ....

Prince.O · ‎03-30-2022

Hi Philip,

In theory , you can have port-security on the trunk port for a flexconnect AP.

However, port-security configuration a the trunk port with a flexconnect Ap doing local switching will likely cause problems for the AP and client traffic due to the nature of wireless clients roaming , etc so we can expect new mac's learned. This will likely not play nice with the port-security configuration and cause traffic stalls or port shutdown from the switch side.

I would suggest removing the port-security configuration and just having a trunk with a native vlan for the most optimal performance