Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing WDS

Is it possible to secure the configuration of wds ?

I have configured two ap´s with wds. Priority is set to 200/199. So the AP with priority of 200 will be the wds master. What happens if a new ap will be installed configured with wds and priority of 255. I think this ap will be wds master. How can I prevent this ? The best way would be a passwort like the configuration of vtp. Thanks for any suggests.

6 REPLIES
Silver

Re: Securing WDS

Is it possible for you to manually change the priority of the new ap to be as something lesser than the current wds master priority?. If yes, then I think this would be the recommended option to sustain your existing wds master.

New Member

Re: Securing WDS

Of course this is possible. But if anyone installs an ap with a priority of 255, the wds master will get some problems. This can be used for a DOS attack.

Green

Re: Securing WDS

It's my understanding that once a WDS is "elected" it stays the WDS Master until it goes off-line, even if another higher priority uint is added to the broadcast domain.

If the Master goes off-line, another election is held, and the WDS -designated unit with the highest priority will assume the role.

It's been a while, but that's my recollection. It was a specific question brought up in class.

FWIW

Scott

New Member

Re: Securing WDS

ScottMac is correct. I believe the the person configuring the WDS priority would also have to know the user/pass for authenticating the AP to WDS. This might be a form of security for you. Without this the AP will not be recognized by WDS.

New Member

Re: Securing WDS

Hello,

Another way to secure WDS is to use a management VLAN (out of band management). Create a management VLAN to use to manage your APs.Configure an 802.1Q trunk to each AP and add your management VLAN over the trunks. The APs should have their management IPs in the mgmt VLAN. Make sure the management VLAN isn't tied to a SSID. Make sure to only explicitly enable the management VLAN on the switch ports or trunks you need it.

The AP-AP WDS traffic (WLCCP) will only happen on the management VLAN. Since it isn't possible to get access to your management VLAN, it isn't possible for a 3rd party to inject a new AP that could potentially take over as WDS primary.

Serge

New Member

Re: Securing WDS

You have the option of configuring the IP address of the WDS on the Infrastructure APs, but I don't remember if it allows multiple adresses for redundancy. Let us know.

208
Views
0
Helpful
6
Replies