06-13-2007 08:50 AM - edited 03-05-2019 04:41 PM
Hi all,
Is there any way to secure trunk links?
More specifically, to secure them so that someone can't unplug the switch and connect a PC that speaks 802.1q to gain access to any VLAN.
It is possible to use port security or port access lists on the uplink port with a big list of MAC addresses but that doesn't play nicely with dynamic VLANs and isn't the easiest to manage, are there any other methods?
06-13-2007 10:58 AM
By default the PC will try to negotiate the trunk with VLAN 1. All you have to do is change the native VLAN in the trunk to something other than VLAN 1.
Both devices must agree on the native VLAN, else the trunk will never form.
06-13-2007 01:41 PM
Thanks for the reply Edison,
Is there a method of error disabling the port after a certain amount of native VLAN mismatches? Otherwise it may be possible to find the native VLAN by a brute force attack.
It's a shame that dot1x (802.1x) doesn't work on trunk links, that sounds like it would be a nice solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide