Solved: Re: Is there any security for bridged ethernet traffic over mesh?

MatthewMattShenkoShenko · ‎08-26-2022

Have a setup with a 9800-L and two 1572 mesh APs. One AP is root (parent), the other is mesh (child). The parent root AP is wired to the main LAN where the 9800 sits. The child mesh AP has a switch trunked to its ethernet port. The switch traffic is bridged over the mesh backhaul to the main LAN, providing connectivity for some remote wired users.

Questions that I don't see answers for:
* What kind of encryption/security (if any) is being done over this backhaul for bridged ethernet traffic? The guides mention an AWPP tunnel, but not if it's encrypted/secured in any way.
* I have data encryption enabled on the AP Join Profile. Does this only apply to wireless (CAPWAP) traffic?

My concern is bridge traffic is just ... out there. Hope this isn't the case.

Thanks, all!!

ammahend · ‎08-26-2022

You can secure the mesh link with PSK or EAP (similar to securing an endpoint L2 communication)

AES encryption key is derived during the EAP authentication process and is used for encrypting traffic.

In your setup, you can run command "show mesh config" to see what you have configured.

So can someone sniff it, probably yes, if you are use PSK, if someone known PSK and can capture initial 4 way handshake then they can potentially decrypt traffic, when using EAP it will be rather difficult.

Not to forget if the the application you are using is ssl/tls based then you have L7 encryption on top of all that. So chances are slim, but as you probably already know, security is only as good as your weakest link.

for more information, read this document, little old but concept is same (search for security)

https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/7-3/design/guide/Mesh/Mesh_chapter_0101.html

-hope this helps-

View solution in original post

ammahend · ‎08-26-2022

You can secure the mesh link with PSK or EAP (similar to securing an endpoint L2 communication)

AES encryption key is derived during the EAP authentication process and is used for encrypting traffic.

In your setup, you can run command "show mesh config" to see what you have configured.

So can someone sniff it, probably yes, if you are use PSK, if someone known PSK and can capture initial 4 way handshake then they can potentially decrypt traffic, when using EAP it will be rather difficult.

Not to forget if the the application you are using is ssl/tls based then you have L7 encryption on top of all that. So chances are slim, but as you probably already know, security is only as good as your weakest link.

for more information, read this document, little old but concept is same (search for security)

https://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/7-3/design/guide/Mesh/Mesh_chapter_0101.html

-hope this helps-

MatthewMattShenkoShenko · ‎08-28-2022

Ammahend, thanks for the reply.

Still curious about what's different about the security of traffic flows when comparing bridged ethernet and WiFi traffic. WiFi traffic in the mesh network is secured by a CAPWAP tunnel that's setup as you mentioned above. But bridged ethernet traffic (tagged VLAN traffic) is different; apparently it doesn't flow back to the controller like CAPWAP'd WiFi traffic does, it uses AWPP and continues on to the wired network. But there is little/no explanation as to how/if this bridged ethernet traffic is kept secure as it travels over the air.

So I guess what I'm asking is ... is this bridge traffic that uses AWPP secured? If so, how?

Thanks again for your replies, and apologies for my confusion/ineptitude.

MatthewMattShenkoShenko · ‎10-03-2022

Thanks, Ammahend!