03-29-2022 05:08 PM
currently running port security in AP's operating in local mode..
the requirement is to move AP into Flex mode and change to Trunk on SW port to allow local vlan swithing for Corp .1x SSID; remaining SSID's will stay centrally switched.
If AP is changed to Flex Mode and SW port security remains - what is the implication for the corp wifi client operating on the secured switchport - will double auth occur and does the port security max # need to be removed for many mac addresses to operate on that port.
there is a current cisco link which seems to indicate .1x secure port can be used by the AP to send tagged traffic
but it doesnt mention specific sw port settings ...
Current secure AP switchport is attached
03-29-2022 05:35 PM - edited 03-29-2022 05:45 PM
if the authentication for flexconnect is central (which most likely would be), then all clients authentication traffic will be sent to controller over capwap and will only authenticate one and not twice (if that's what you were asking) and data plane will be sent to local switch.
you would also want to add "authentication host-mode multi-host" command.
No port security on AP port, switch will see connected client mac on AP port.
03-29-2022 06:01 PM
Hi Ammahend,
as per last line in reply " No port security on AP port, switch will see connected client mac on AP port."
are you saying the AP switchport should not be confiugered for port security ? ie: just a normal trunk port with native vlan.
Cheers
03-29-2022 06:29 PM
are you saying the AP switchport should not be confiugered for port security ? ie: just a normal trunk port with native vlan.
Yes Sir.
03-30-2022 01:44 PM
Wireless client DOT1X authentication will happen only at WLC or AP (depending on the AAA configuration), why do you want to authenticate the user again at switch level? All the L2 security are taken care by WLC or AP itself (again depending on the configuration)
As per the documentation you shared you are already securing the switchport by enabling DOT1X for the connecting AP.
I really do not see any gains by enabling port security on the Flex Connect AP connecting switchport when you have already covered most of the attack vectors. If you think there is any I would like to know the attack and the methodology
03-30-2022 03:47 PM
03-30-2022 09:22 PM
03-30-2022 09:31 PM
03-30-2022 04:21 PM
Hi Philip,
In theory , you can have port-security on the trunk port for a flexconnect AP.
However, port-security configuration a the trunk port with a flexconnect Ap doing local switching will likely cause problems for the AP and client traffic due to the nature of wireless clients roaming , etc so we can expect new mac's learned. This will likely not play nice with the port-security configuration and cause traffic stalls or port shutdown from the switch side.
I would suggest removing the port-security configuration and just having a trunk with a native vlan for the most optimal performance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide