Business Community > Wireless > EAP (Mesh) with Downlink to Switch - Security settings
< Wireless

EAP (Mesh) with Downlink to Switch - Security settings

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

EAP (Mesh) with Downlink to Switch - Security settings

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
EAP (Mesh) with Downlink to Switch - Security settings
EAP (Mesh) with Downlink to Switch - Security settings
2025-07-02 08:32:07 - last edited 2025-07-03 08:32:26
Tags: #Mesh #ACL #Security
Model: EAP653  
Hardware Version: V1
Firmware Version:

Hello folks,

 

I have some questions regarding (port) security with my setup.

 

I have the following setup:

  • Software Controller v5.15.20.20
  • Wired EAP653 (indoor)
  • Meshed EAP653 (outdoor) --> connects to indoor EAP
  • Downlink from outdoor EAP to easy managed switch ES205GP (outdoor)
  • Easy managed switch with cameras connected

 

So, because outdoor EAP and switch are accessible, I wanted to know, how I can secure both devices from unwanted access?

 

Step 1: Lock/bind downlink ETH port from EAP to the specific MAC-address of the switch - is that possible?

Step 2: Lock/bind the ports of the switch to the specific MAC-addresses of the cameras - is that possible?

Step 3: Disable unused ports on the switch - already done

 

I couldn't find port security settings in the controller, I have read that this is only in standalone mode active.

 

I hope you can help me out, also other solutions welcomed.

Thank you all.

Omada Software Controller (Linux) 1x ER605, 1x SG2218, 2x SG2008P, 1x SG2210P, 2x EAP653, 1x EAP650-Outdoor
  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:EAP (Mesh) with Downlink to Switch - Security settings-Solution
2025-07-03 08:32:21 - last edited 2025-07-03 08:32:26

Hi  @mechanic123 

 

Thanks for posting here. 

 

We cannot prevent this situation through controller configuration due to the limited functionality of the EAP's LAN port.

You may consider setting up an offline device alert to promptly detect such occurrences. Or secure that port and Ethernet cable at the physical level, such as locking the switch ES205GP in some indoor house, etc.

 

mechanic123 wrote

  @MR.S 

 

Thank you for the link. I have read all posts but my situation is the other way round.

In your guide, the port of the switch is bound to the MAC of the EAP.

 

But I need the binding on the EAP port, not the switch port.

Here is a picture of my situation, perhaps this makes it easier to understand.

 

Please let me know if I'm wrong.

 

 

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  1  
  1  
#7
Options
7 Reply
Re:EAP (Mesh) with Downlink to Switch - Security settings
2025-07-02 09:27:58

  @mechanic123 

 

I don't think you can use MAB on the ES205GP, then you have to upgrade to SG2xxxx or higher model to get what you want

 

  0  
  0  
#2
Options
Re:EAP (Mesh) with Downlink to Switch - Security settings
2025-07-02 13:39:57

  @MR.S 

 

Thank you for your answer. I think your post belongs just to "Step 2".

 

I also have SG2218 and SG2008P, where I don't see any settings to bind a specific mac to a port in controller mode.

I don't want to use standalone mode just to get the option of port security, as someone mentioned in another topic.

Perhaps TP-Link can integrate this feature (port security) in the controller?

 

For "Step 1": Binding the ETH port of the EAP - the problem is that someone can just grab the LAN cable coming from the EAP and plug it into an unkown device and can access the network. Is there any option to configure that in controller mode?

 

Omada Software Controller (Linux) 1x ER605, 1x SG2218, 2x SG2008P, 1x SG2210P, 2x EAP653, 1x EAP650-Outdoor
  0  
  0  
#3
Options
Re:EAP (Mesh) with Downlink to Switch - Security settings
2025-07-02 14:02:13

  @mechanic123 

 

there is no problem. here is a description

 

https://community.tp-link.com/en/business/forum/topic/829032?replyId=1573882

  0  
  0  
#4
Options
Re:EAP (Mesh) with Downlink to Switch - Security settings
2025-07-02 21:55:54 - last edited 2025-07-02 21:56:42

  @MR.S 

 

Thank you for the link. I have read all posts but my situation is the other way round.

In your guide, the port of the switch is bound to the MAC of the EAP.

 

But I need the binding on the EAP port, not the switch port.

Here is a picture of my situation, perhaps this makes it easier to understand.

 

Please let me know if I'm wrong.

 

Omada Software Controller (Linux) 1x ER605, 1x SG2218, 2x SG2008P, 1x SG2210P, 2x EAP653, 1x EAP650-Outdoor
  1  
  1  
#5
Options
Re:EAP (Mesh) with Downlink to Switch - Security settings
2025-07-03 08:09:45 - last edited 2025-07-03 08:31:54

  @mechanic123 

 

Ok, but I don't know, are you able to mesh if you activate MAB on the switch that AP1 is connected to? Maybe you have to approve AP2 on the same port to activate mesh.. you almost have to test that.

there is no such security on AP so it is not possible to use MAB on that port as far as I know.

 

 

I'm guessing that the internet comes from indoors. So if someone connects to the blue cable they won't get anything. They have to connect to the access point to get internet, so you need to secure the access point if you suspect that's possible. You will also have the same problem with the switch and camera if not isolated, all of these network points will give full access to the network if they are not secured with MAB,

 

 

 

  1  
  1  
#6
Options
Re:EAP (Mesh) with Downlink to Switch - Security settings-Solution
2025-07-03 08:32:21 - last edited 2025-07-03 08:32:26

Hi  @mechanic123 

 

Thanks for posting here. 

 

We cannot prevent this situation through controller configuration due to the limited functionality of the EAP's LAN port.

You may consider setting up an offline device alert to promptly detect such occurrences. Or secure that port and Ethernet cable at the physical level, such as locking the switch ES205GP in some indoor house, etc.

 

mechanic123 wrote

  @MR.S 

 

Thank you for the link. I have read all posts but my situation is the other way round.

In your guide, the port of the switch is bound to the MAC of the EAP.

 

But I need the binding on the EAP port, not the switch port.

Here is a picture of my situation, perhaps this makes it easier to understand.

 

Please let me know if I'm wrong.

 

 

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  1  
  1  
#7
Options
Re:EAP (Mesh) with Downlink to Switch - Security settings
2025-07-03 21:49:04
Thank you for the info. I will try the physical way.
Omada Software Controller (Linux) 1x ER605, 1x SG2218, 2x SG2008P, 1x SG2210P, 2x EAP653, 1x EAP650-Outdoor
  1  
  1  
#8
Options

Information

Helpful: 0

Views: 569

Replies: 7

Tags

Mesh ACL
Security
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.