I've read through the SecurePort docs and feel with ALLOWED VLANs to ALL after enabling the SecurePort configuration...it's less secure than if pruning the VLANs to which you are serving (example below being VLANs 19-Management, 75-staff, 85-guests). I get the certificate part....from the perspective of wanting to separate wireless and wired devices.
Is there additional broadcast if ALL VLANs are allowed?
Solved! Go to solution.
When a switch has SecurePort enabled, only Access Points that belong to the same organization, will be authenticated on the port, and the switchport will get the SecurePort configuration.
This ensures that no one can unplug your access point, and insert their own malicious access point, where traffic may be tunnelled back to some bad actor.
You can set the original switchport settings to some closed vlan, to allow minimal access. Once an AP is connected, it will get a restricted network access to allow it to contact the Meraki Cloud.
When a switch has SecurePort enabled, only Access Points that belong to the same organization, will be authenticated on the port, and the switchport will get the SecurePort configuration.
This ensures that no one can unplug your access point, and insert their own malicious access point, where traffic may be tunnelled back to some bad actor.
You can set the original switchport settings to some closed vlan, to allow minimal access. Once an AP is connected, it will get a restricted network access to allow it to contact the Meraki Cloud.
It is recommended to always prune unused VLANs, this reduces the amount of unnecessary traffic and bandwidth consumption on the trunk link, as well as the security risks of exposing VLANs to unauthorized devices.
From a performance perspective, yes in theory it's better to prune, but in practice, just allow all and avoid the management overhead.