Securing Trunk Links

Unanswered Question
Jun 13th, 2007
User Badges:

Hi all,

Is there any way to secure trunk links?

More specifically, to secure them so that someone can't unplug the switch and connect a PC that speaks 802.1q to gain access to any VLAN.

It is possible to use port security or port access lists on the uplink port with a big list of MAC addresses but that doesn't play nicely with dynamic VLANs and isn't the easiest to manage, are there any other methods?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Wed, 06/13/2007 - 10:58
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

By default the PC will try to negotiate the trunk with VLAN 1. All you have to do is change the native VLAN in the trunk to something other than VLAN 1.

Both devices must agree on the native VLAN, else the trunk will never form.

matt_the_b Wed, 06/13/2007 - 13:41
User Badges:

Thanks for the reply Edison,

Is there a method of error disabling the port after a certain amount of native VLAN mismatches? Otherwise it may be possible to find the native VLAN by a brute force attack.

It's a shame that dot1x (802.1x) doesn't work on trunk links, that sounds like it would be a nice solution.


This Discussion