SecurePort (formerly known as SecureConnect) - More or less secure?

Solved
RWelch
A model citizen

SecurePort (formerly known as SecureConnect) - More or less secure?

I've read through the SecurePort docs and feel with ALLOWED VLANs to ALL after enabling the SecurePort configuration...it's less secure than if pruning the VLANs to which you are serving (example below being VLANs 19-Management, 75-staff, 85-guests).  I get the certificate part....from the perspective of wanting to separate wireless and wired devices.

Is there additional broadcast if ALL VLANs are allowed?

 

Screenshot 2024-03-13 at 19.41.29.png

Screenshot 2024-03-13 at 19.41.19.png

  

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
1 Accepted Solution
rhbirkelund
Kind of a big deal
Kind of a big deal

When a switch has SecurePort enabled, only Access Points that belong to the same organization, will be authenticated on the port, and the switchport will get the SecurePort configuration.

This ensures that no one can unplug your access point, and insert their own malicious access point, where traffic may be tunnelled back to some bad actor.

 

You can set the original switchport settings to some closed vlan, to allow minimal access. Once an AP is connected, it will get a restricted network access to allow it to contact the Meraki Cloud.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

4 Replies 4
rhbirkelund
Kind of a big deal
Kind of a big deal

When a switch has SecurePort enabled, only Access Points that belong to the same organization, will be authenticated on the port, and the switchport will get the SecurePort configuration.

This ensures that no one can unplug your access point, and insert their own malicious access point, where traffic may be tunnelled back to some bad actor.

 

You can set the original switchport settings to some closed vlan, to allow minimal access. Once an AP is connected, it will get a restricted network access to allow it to contact the Meraki Cloud.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
alemabrahao
Kind of a big deal
Kind of a big deal

It is recommended to always prune unused VLANs, this reduces the amount of unnecessary traffic and bandwidth consumption on the trunk link, as well as the security risks of exposing VLANs to unauthorized devices.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Bucket
Getting noticed

From a performance perspective, yes in theory it's better to prune, but in practice, just allow all and avoid the management overhead.

RWelch
A model citizen

@Bucket Well said....thank you.  I concur and appreciate the input/feedback.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.