Home

Forums

Stories

Knowledge Base

Business Community > Wireless > EAP (Mesh) with Downlink to Switch - Security settings

< Wireless

EAP (Mesh) with Downlink to Switch - Security settings

mechanic123

2025-07-02 08:32:07 - last edited 2025-07-03 08:32:26

Posts: 6

Helpful: 2

Solutions: 0

Stories: 0

Registered: 2025-07-02

EAP (Mesh) with Downlink to Switch - Security settings

2025-07-02 08:32:07 - last edited 2025-07-03 08:32:26

Tags: #Mesh #ACL

Model: EAP653

Hardware Version: V1

Firmware Version:

Hello folks,

I have some questions regarding (port) security with my setup.

I have the following setup:

Software Controller v5.15.20.20
Wired EAP653 (indoor)
Meshed EAP653 (outdoor) --> connects to indoor EAP
Downlink from outdoor EAP to easy managed switch ES205GP (outdoor)
Easy managed switch with cameras connected

So, because outdoor EAP and switch are accessible, I wanted to know, how I can secure both devices from unwanted access?

Step 1: Lock/bind downlink ETH port from EAP to the specific MAC-address of the switch - is that possible?

Step 2: Lock/bind the ports of the switch to the specific MAC-addresses of the cameras - is that possible?

Step 3: Disable unused ports on the switch - already done

I couldn't find port security settings in the controller, I have read that this is only in standalone mode active.

I hope you can help me out, also other solutions welcomed.

Thank you all.

Omada Software Controller (Linux) 1x ER605, 1x SG2218, 1x SG2008P, 2x ES205GP, 3x EAP653

1 Accepted Solution

Vincent-TP

2025-07-03 08:32:21 - last edited 2025-07-03 08:32:26

Posts: 3501

Helpful: 345

Solutions: 1191

Stories: 0

Registered: 2024-06-22

Re:EAP (Mesh) with Downlink to Switch - Security settings-Solution

2025-07-03 08:32:21 - last edited 2025-07-03 08:32:26

Hi @mechanic123

Thanks for posting here.

We cannot prevent this situation through controller configuration due to the limited functionality of the EAP's LAN port.

You may consider setting up an offline device alert to promptly detect such occurrences. Or secure that port and Ethernet cable at the physical level, such as locking the switch ES205GP in some indoor house, etc.

mechanic123 wrote

@MR.S

Thank you for the link. I have read all posts but my situation is the other way round.

In your guide, the port of the switch is bound to the MAC of the EAP.

But I need the binding on the EAP port, not the switch port.

Here is a picture of my situation, perhaps this makes it easier to understand.

Please let me know if I'm wrong.

Wish you a happy life and smooth network usage! >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<

Recommended Solution

7 Reply

MR.S

LV5

2025-07-02 09:27:58

Posts: 2824

Helpful: 1004

Solutions: 397

Stories: 0

Registered: 2018-08-17

Re:EAP (Mesh) with Downlink to Switch - Security settings

2025-07-02 09:27:58

@mechanic123

I don't think you can use MAB on the ES205GP, then you have to upgrade to SG2xxxx or higher model to get what you want

mechanic123

LV1

2025-07-02 13:39:57

Posts: 6

Helpful: 2

Solutions: 0

Stories: 0

Registered: 2025-07-02

Re:EAP (Mesh) with Downlink to Switch - Security settings

2025-07-02 13:39:57

@MR.S

Thank you for your answer. I think your post belongs just to "Step 2".

I also have SG2218 and SG2008P, where I don't see any settings to bind a specific mac to a port in controller mode.

I don't want to use standalone mode just to get the option of port security, as someone mentioned in another topic.

Perhaps TP-Link can integrate this feature (port security) in the controller?

For "Step 1": Binding the ETH port of the EAP - the problem is that someone can just grab the LAN cable coming from the EAP and plug it into an unkown device and can access the network. Is there any option to configure that in controller mode?

Omada Software Controller (Linux) 1x ER605, 1x SG2218, 1x SG2008P, 2x ES205GP, 3x EAP653

MR.S

LV5

2025-07-02 14:02:13

Posts: 2824

Helpful: 1004

Solutions: 397

Stories: 0

Registered: 2018-08-17

Re:EAP (Mesh) with Downlink to Switch - Security settings

2025-07-02 14:02:13

@mechanic123

there is no problem. here is a description

https://community.tp-link.com/en/business/forum/topic/829032?replyId=1573882

mechanic123

LV1

2025-07-02 21:55:54 - last edited 2025-07-02 21:56:42

Posts: 6

Helpful: 2

Solutions: 0

Stories: 0

Registered: 2025-07-02

Re:EAP (Mesh) with Downlink to Switch - Security settings

2025-07-02 21:55:54 - last edited 2025-07-02 21:56:42

@MR.S

Thank you for the link. I have read all posts but my situation is the other way round.

In your guide, the port of the switch is bound to the MAC of the EAP.

But I need the binding on the EAP port, not the switch port.

Here is a picture of my situation, perhaps this makes it easier to understand.

Please let me know if I'm wrong.

Omada Software Controller (Linux) 1x ER605, 1x SG2218, 1x SG2008P, 2x ES205GP, 3x EAP653

MR.S

LV5

2025-07-03 08:09:45 - last edited 2025-07-03 08:31:54

Posts: 2824

Helpful: 1004

Solutions: 397

Stories: 0

Registered: 2018-08-17

Re:EAP (Mesh) with Downlink to Switch - Security settings

2025-07-03 08:09:45 - last edited 2025-07-03 08:31:54

@mechanic123

Ok, but I don't know, are you able to mesh if you activate MAB on the switch that AP1 is connected to? Maybe you have to approve AP2 on the same port to activate mesh.. you almost have to test that.

there is no such security on AP so it is not possible to use MAB on that port as far as I know.

I'm guessing that the internet comes from indoors. So if someone connects to the blue cable they won't get anything. They have to connect to the access point to get internet, so you need to secure the access point if you suspect that's possible. You will also have the same problem with the switch and camera if not isolated, all of these network points will give full access to the network if they are not secured with MAB,

Vincent-TP

2025-07-03 08:32:21 - last edited 2025-07-03 08:32:26

Posts: 3501

Helpful: 345

Solutions: 1191

Stories: 0

Registered: 2024-06-22

Re:EAP (Mesh) with Downlink to Switch - Security settings-Solution

2025-07-03 08:32:21 - last edited 2025-07-03 08:32:26

Hi @mechanic123

Thanks for posting here.

We cannot prevent this situation through controller configuration due to the limited functionality of the EAP's LAN port.

mechanic123 wrote

@MR.S

Thank you for the link. I have read all posts but my situation is the other way round.

In your guide, the port of the switch is bound to the MAC of the EAP.

But I need the binding on the EAP port, not the switch port.

Here is a picture of my situation, perhaps this makes it easier to understand.

Please let me know if I'm wrong.

Wish you a happy life and smooth network usage! >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<

EAP (Mesh) with Downlink to Switch - Security settings

EAP (Mesh) with Downlink to Switch - Security settings

Information

Voters 0

Tags