09-03-2009 01:06 AM - edited 03-06-2019 07:33 AM
Hi,
I am planning to place a machine onto a trunk port. Are there a lot of security implications if I were to do that? Any idea what an attacker can do if he manages to get access to that box?
09-03-2009 01:10 AM
Hello,
Placing a machine on a trunk port is equivalent to directly connecting it to all VLANs that are allowed on that trunk. Moreover, the security implications are heightened by the fact that this station has direct access to all VLANs and with wrong configuration, it can become a bridge or router between these VLANs so caution must be taken to prevent this if it is not desirable.
Is it necessary to have that station connected to a trunk port? Is that station capable of 802.1Q frame tagging?
Best regards,
Peter
09-03-2009 01:11 AM
Hi
when you say machine, do you mean a switch? and if not why does the port need to be trucked?
also you can password you're VTP domain!
09-03-2009 01:23 AM
This machine is a server and not a switch. The reason is that we need to virtualize some hosts and place it on different VLANs.
09-03-2009 01:42 AM
Hello,
It is not unusual to place a server which is 802.1Q-capable on a trunk for various purposes - routing on a stick, virtualization and so on. That's all OK. What you have to take into account is that the server indeed has a direct access to all VLANs on that trunk if some software is privileged enough to send arbitrarily tagged 802.1Q frames. Also a care should be taken to filter out BPDUs, DTP, VTP, CDP and similar frames on the trunk so that in case the server is compromised, no forged packets can be sent from it to disrupt the network operation.
Basically, there are two aspect here: the first aspect is that the server is in many VLANs at once. So the security implications here are the same as if the server had multiple NICs connected to different switches. The second aspect is that there are some service protocols running on a trunk (notably the VTP, DTP and PV(R)STP) that are not on normal access ports. These service protocols are usable and valid only between switches and they should not be sent or at least accepted from the server.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide