Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What is the best security for bridge to bridge configuration?

Hi everybody!

Can anyone tell me what is the best security (encryption, authentication) for a point-to-point configuration between 2 BR1310.

Is it WPA2-PSK with mac adress ACL or not ?

Is it possible to configure WPA2 with radius between 2 bridge? If yes, do you have information on how to do it?

Thanks in advance!


Re: What is the best security for bridge to bridge configuration

The WEP keys used to encrypt and decrypt transmitted data can be statically associated with your adapter or dynamically created as part of the LEAP authentication process.Static WEP Keys and Dynamic WEP Keys with LEAP are the main securiyt features.

Message integrity check(MIC)

MIC prevents bit-flip attacks on encrypted packets. During a bit-flip attack, an intruder intercepts an encrypted message, alters it slightly, and retransmits it, and the receiver accepts the retransmitted message as legitimate. The MIC adds a few bytes to each packet to make the packets tamper-proof.

New Member

Re: What is the best security for bridge to bridge configuration

This is how we do it:

If you have a radius such as ACS my suggestion is to set ecryption to Cipher = AES CCMP + TKIP on your native vlan. You can also use key rotation. We use 360 seconds.

Then in SSID manager go to your native vlan SSID and Authentication settings. Use Open autentication with EAP (and MAC authentication if you want) and use Network EAP and . Further down set key management to Mandatory and use WPA. Under General settings you find Client name. Set a username and password. This unique (for each AP, Bridge etc) username and password you also set on a (PEAP) user you create on the radius/ACS. You can do this on both bridges even if its strictly the non-root that must have it.

If you are familiar with ACS you know that the Aironet devices (AAA Client) is configured under Network Configuration settings (IP-address and shared key). We configure all devices here regardless if they are APs, Root, Non-root etc.

If you just trunk VLANs between the bridges you just create them you need on both bridges. No need for encryption settings and ssids on them.

Good luck!

New Member

Re: What is the best security for bridge to bridge configuration


the preferred way without radius server ist wpa-psk (-->means aes and a very strong preshared key) and

with a radius server go with peap for authentication and for encryption go with aes.

Both encryption settings(tkip and aes) make no sense, in a p2p setup. If you have support for aes go for it.