Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
6
Replies

Securing WDS

armin.kraus
Level 1
Level 1

‎03-28-2006 05:27 AM - edited ‎07-04-2021 11:51 AM

Is it possible to secure the configuration of wds ?

I have configured two ap´s with wds. Priority is set to 200/199. So the AP with priority of 200 will be the wds master. What happens if a new ap will be installed configured with wds and priority of 255. I think this ap will be wds master. How can I prevent this ? The best way would be a passwort like the configuration of vtp. Thanks for any suggests.

Labels:
0 Helpful
6 Replies 6

aghaznavi
Level 5
Level 5

‎04-03-2006 06:31 AM

Is it possible for you to manually change the priority of the new ap to be as something lesser than the current wds master priority?. If yes, then I think this would be the recommended option to sustain your existing wds master.

0 Helpful

armin.kraus
Level 1
Level 1
In response to aghaznavi

‎04-10-2006 11:12 AM

Of course this is possible. But if anyone installs an ap with a priority of 255, the wds master will get some problems. This can be used for a DOS attack.

0 Helpful

scottmac
Level 10
Level 10

‎04-10-2006 06:42 PM

It's my understanding that once a WDS is "elected" it stays the WDS Master until it goes off-line, even if another higher priority uint is added to the broadcast domain.

If the Master goes off-line, another election is held, and the WDS -designated unit with the highest priority will assume the role.

It's been a while, but that's my recollection. It was a specific question brought up in class.

FWIW

Scott

0 Helpful

svanhandel
Level 1
Level 1
In response to scottmac

‎04-11-2006 02:07 PM

ScottMac is correct. I believe the the person configuring the WDS priority would also have to know the user/pass for authenticating the AP to WDS. This might be a form of security for you. Without this the AP will not be recognized by WDS.

0 Helpful

s.vautour
Level 1
Level 1

‎05-23-2006 11:03 AM

Hello,

Another way to secure WDS is to use a management VLAN (out of band management). Create a management VLAN to use to manage your APs.Configure an 802.1Q trunk to each AP and add your management VLAN over the trunks. The APs should have their management IPs in the mgmt VLAN. Make sure the management VLAN isn't tied to a SSID. Make sure to only explicitly enable the management VLAN on the switch ports or trunks you need it.

The AP-AP WDS traffic (WLCCP) will only happen on the management VLAN. Since it isn't possible to get access to your management VLAN, it isn't possible for a 3rd party to inject a new AP that could potentially take over as WDS primary.

Serge

0 Helpful

jraulinaitis
Level 1
Level 1

‎08-17-2006 12:49 PM

You have the option of configuring the IP address of the WDS on the Infrastructure APs, but I don't remember if it allows multiple adresses for redundancy. Let us know.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card