1

I am planning to connect an existing Cisco 3750 switch to a 3560C switch over a wireless PTP bridge. The bridge will be WPA2 protected, but I am looking for an additional measure of security between the switches to prevent other wireless access through either switch.

They do not support IPSec, only 802.1Q tunnels, and buying additional hardware is not likely an option.

I am looking into using TrustSec manual mode between the switches. After some effort reading into TrustSec and MACsec, I am mostly certain this is a good choice over the wireless bridge, keeping in mind it is a shared medium.

Two questions:

  • Can I reliably prevent other wireless traffic from accessing the switches using TrustSec?

  • Does anyone know of any better options with the 3000 series switches?

metatheorem
  • 113
  • 2

1 Answers1

1

You have two problems...

First, the Cisco 3750 classic model does not support MacSec; however, the 3560C (second generation) supports it on the GE ports. MacSec requires special support in the Ethernet PHY, and the older Cisco 3750s do not have MacSec in the PHY.

Second, MacSec is a hop-by-hop encryption protocol, as such, it does not support a topology like this:

+-------------+                     WPA2 CCMP                     +-------------+
| MacSec SW1  |---{Wireless Bridge}>>>>><<<<<<{Wireless Bridge}---|  MacSec SW2 |
+-------------+                                                   +-------------+

IEEE 802.1ae-2006 MacSec cannot be repeated across different ethernet links, which is what you're trying to do with the wifi bridges. Sadly, you need some dedicated encryption HW (such as IPSec or SSL VPN) ahead of the wireless link to ensure this does what you need.

Can I reliably prevent other wireless traffic from accessing the switches using TrustSec?

Not with TrustSec, you need something like SSL or IPSec encryption as I mentioned above.

Mike Pennington
  • 8,266
  • 9
  • 41
  • 86
  • Thanks. I guess I equated equated the transparent bridge with a repeater. – metatheorem Jun 02 '14 at 21:42
  • @metatheorem, 802.3 ethernet and 802.11 wifi are quite different protocols; among the most basic differences are MTU and 802.11's requirement for frame ACKs. Wifi APs and Bridges which provide connectivity between a physical wire and RF are by-definition much more than a repeater. – Mike Pennington Jun 03 '14 at 10:07