Suppose you have a network like this:
+-------------------------+ +---------------------------+
| | | |
| | | |
+--------+ | core |---------| core |
| radius |---------| switch #1 |---------| switch #2 |
| server | | | | |
+--------+ | | | |
+-------------------------+ +---------------------------+
| | | |
+-----------+ +-----------+ +-------------+ +-----------+
| access | | access | | access | | access |
| switch #1 | | switch #2 | | switch #N-1 | | switch #N |
+-----------+ +-----------+ +-------------+ +-----------+
I want to make sure that it is not possible to connect a device (pc or another switch) to the network that is not allowed. Therefore I am thinking about using 802.1x to authenticate the switches. My plan is to follow the best practices as explained in slides 79 and 80 of this presentation.
The problem raises when I need to connect the two core switches with multiple ethernet cables because 1Gbps is not enough but using a fiber is too expensive.
I am reading this document from HP where they say
To help maintain security, the switch does not allow 802.1X and LACP to both be enabled at the same time on the same port.
So I am wondering if this limitation is due to the HP products or by the design of the protocols.
My main doubt is that an attacker unplugs one of the ethernet cables between the core switches and attaches another switch, which can intercept the traffic since the switch is not using 802.1x on the trunk ports.
It it possile to use 802.1x with trunk ports?
Best Answer
802.1x was specifically designed for end-point devices to authenticate to network switches and was not designed for switch-to-switch connections. Because of this, it is highly unlikely that you will find any switches that can be a 802.1x client, so the answer to your Y question is no.
To answer your X concern (see XY problem)- preventing a malicious entity from monitoring and intercepting traffic can only be reasonably accomplished by maintaining physical security of your network hardware and cabling infrastructure. As @Ron mentioned, it is trivial to configure a device to act as a network tap that can be placed between any one of your switches -provided that physical access can be attained- that can then passively monitor traffic on your network, regardless of whether you have 802.1x configured. MACSEC would be an example of a technical measure that could potentially prevent this type of attack.