Securing Trunk Links

Unanswered Question
Jun 13th, 2007

Hi all,

Is there any way to secure trunk links?

More specifically, to secure them so that someone can't unplug the switch and connect a PC that speaks 802.1q to gain access to any VLAN.

It is possible to use port security or port access lists on the uplink port with a big list of MAC addresses but that doesn't play nicely with dynamic VLANs and isn't the easiest to manage, are there any other methods?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Wed, 06/13/2007 - 10:58

By default the PC will try to negotiate the trunk with VLAN 1. All you have to do is change the native VLAN in the trunk to something other than VLAN 1.

Both devices must agree on the native VLAN, else the trunk will never form.

matt_the_b Wed, 06/13/2007 - 13:41

Thanks for the reply Edison,

Is there a method of error disabling the port after a certain amount of native VLAN mismatches? Otherwise it may be possible to find the native VLAN by a brute force attack.

It's a shame that dot1x (802.1x) doesn't work on trunk links, that sounds like it would be a nice solution.


This Discussion