Trunk port

Unanswered Question
Sep 3rd, 2009
User Badges:

Hi,


I am planning to place a machine onto a trunk port. Are there a lot of security implications if I were to do that? Any idea what an attacker can do if he manages to get access to that box?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Peter Paluch Thu, 09/03/2009 - 01:10
User Badges:
  • Cisco Employee,

Hello,


Placing a machine on a trunk port is equivalent to directly connecting it to all VLANs that are allowed on that trunk. Moreover, the security implications are heightened by the fact that this station has direct access to all VLANs and with wrong configuration, it can become a bridge or router between these VLANs so caution must be taken to prevent this if it is not desirable.


Is it necessary to have that station connected to a trunk port? Is that station capable of 802.1Q frame tagging?


Best regards,

Peter


ktwaddell Thu, 09/03/2009 - 01:11
User Badges:

Hi


when you say machine, do you mean a switch? and if not why does the port need to be trucked?


also you can password you're VTP domain!

alanchia2000 Thu, 09/03/2009 - 01:23
User Badges:

This machine is a server and not a switch. The reason is that we need to virtualize some hosts and place it on different VLANs.



Peter Paluch Thu, 09/03/2009 - 01:42
User Badges:
  • Cisco Employee,

Hello,


It is not unusual to place a server which is 802.1Q-capable on a trunk for various purposes - routing on a stick, virtualization and so on. That's all OK. What you have to take into account is that the server indeed has a direct access to all VLANs on that trunk if some software is privileged enough to send arbitrarily tagged 802.1Q frames. Also a care should be taken to filter out BPDUs, DTP, VTP, CDP and similar frames on the trunk so that in case the server is compromised, no forged packets can be sent from it to disrupt the network operation.


Basically, there are two aspect here: the first aspect is that the server is in many VLANs at once. So the security implications here are the same as if the server had multiple NICs connected to different switches. The second aspect is that there are some service protocols running on a trunk (notably the VTP, DTP and PV(R)STP) that are not on normal access ports. These service protocols are usable and valid only between switches and they should not be sent or at least accepted from the server.


Best regards,

Peter


Actions

This Discussion