EAP650-Outdoor How to Secure Ethernet Cable
I am adding one EAP650-Outdoor to our LAN. The AP will be outside, mounted to the side of our building underneath an eave and powered by POE+ ethernet.
My concern is securing the network in case a ne'er-do-well should unplug the ethernet cable from the AP and plug it into his own device. What are best practices to protect from this type of occurance?
Thanks,
Greg
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @GregVLAN
You can configure email alert of Device disconnection so that you will be informed the first time when the outdoor EAP is disconnected from the controller.
- Copy Link
- Report Inappropriate Content
Hi @GregVLAN
You can configure email alert of Device disconnection so that you will be informed the first time when the outdoor EAP is disconnected from the controller.
- Copy Link
- Report Inappropriate Content
If you have the full Omada stack (managed router and managed poe switch), then you could put the AP(s) on a tagged management VLAN and create rules to block traffic except from known MACs.
You could also create a dummy default VLAN which would be untagged on this port and whose DHCP settings would be nonsensical and maybe throw in a Policy Route to send any traffic with an IP on the dummy VLAN to a WAN port that isn't connected to anything (make sure you don't enable failover and test before going to production). Problem is, anyone with time and patience may eventually figure out your other VLANs and configure their device to join those.
I don't know how many clients you have on the rest of the network, but creating MAC groups and applying rules may also be of interest.
If you don't care, you can always expoy the network cable to the AP body, or otherwise securely fix it to the AP body to prevent easy removal.
Penetrate the wall/building envelope as close to the AP as possible to reduce the amount of cable your perp has to play with. If you are really paranoid, you could use a short cable initially and remove the RJ45 connector's locking tab on the indoor end, and use an inline CAT6 bulkhead splice, any serious mechanical tug will then pull the cable out of the cable joiner, mechanically disconneting the cable. One would require access to the inside of the building to reconnect.
- Copy Link
- Report Inappropriate Content
Thank you for the guidance. The disconnect monitoring is good advice. Also segmenting out a VLAN as a spoof is something I had not considered...but I love it!
I'm going to put all of these methods in place. (I'm nothing if not paranoid.)
Thanks for the help, y'all.
Greg
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 420
Replies: 3
Voters 0
No one has voted for it yet.