Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SecurePort (formerly known as SecureConnect) - More or less secure?

Solved
RWelch
Getting noticed
‎Mar 13 2024 5:54 PM
‎Mar 13 2024 5:54 PM

SecurePort (formerly known as SecureConnect) - More or less secure?

I've read through the SecurePort docs and feel with ALLOWED VLANs to ALL after enabling the SecurePort configuration...it's less secure than if pruning the VLANs to which you are serving (example below being VLANs 19-Management, 75-staff, 85-guests).  I get the certificate part....from the perspective of wanting to separate wireless and wired devices.

Is there additional broadcast if ALL VLANs are allowed?

 

Screenshot 2024-03-13 at 19.41.29.png

Screenshot 2024-03-13 at 19.41.19.png

  

0 Kudos
Subscribe
1 Accepted Solution
rhbirkelund
Kind of a big deal
‎Mar 13 2024 11:06 PM
‎Mar 13 2024 11:06 PM

When a switch has SecurePort enabled, only Access Points that belong to the same organization, will be authenticated on the port, and the switchport will get the SecurePort configuration.

This ensures that no one can unplug your access point, and insert their own malicious access point, where traffic may be tunnelled back to some bad actor.

 

You can set the original switchport settings to some closed vlan, to allow minimal access. Once an AP is connected, it will get a restricted network access to allow it to contact the Meraki Cloud.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

View solution in original post

Subscribe
4 Replies 4
rhbirkelund
Kind of a big deal
‎Mar 13 2024 11:06 PM
‎Mar 13 2024 11:06 PM

When a switch has SecurePort enabled, only Access Points that belong to the same organization, will be authenticated on the port, and the switchport will get the SecurePort configuration.

This ensures that no one can unplug your access point, and insert their own malicious access point, where traffic may be tunnelled back to some bad actor.

 

You can set the original switchport settings to some closed vlan, to allow minimal access. Once an AP is connected, it will get a restricted network access to allow it to contact the Meraki Cloud.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 14 2024 4:28 AM
‎Mar 14 2024 4:28 AM

It is recommended to always prune unused VLANs, this reduces the amount of unnecessary traffic and bandwidth consumption on the trunk link, as well as the security risks of exposing VLANs to unauthorized devices.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
Bucket
Getting noticed
‎Mar 21 2024 7:18 AM
‎Mar 21 2024 7:18 AM

From a performance perspective, yes in theory it's better to prune, but in practice, just allow all and avoid the management overhead.

Subscribe
In response to Bucket
RWelch
Getting noticed
‎Mar 21 2024 7:43 PM
‎Mar 21 2024 7:43 PM

@Bucket Well said....thank you.  I concur and appreciate the input/feedback.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.