Securing a Trunk Port

Unanswered Question
Oct 12th, 2009

I have two switches that are trunked. Switchports interface g0/1 (on switch A) and interface f0/1 (on switch B) are used for trunking. There is a requirement to secure a trunk port g0/1 without using port security feature as this affects the end-user clients connected to ports on switch B. The end user client are being authenticated already by 802.1x. What I want is just the securing switch A int g0/1 NOT the end user client such that if the a new switch is plugged into switch A, the port g0/1 will not pass traffic. Note: I have tried using mac access-list to match the mac-address of int g0/1 and f0/1 and a deny any any at the end of the access-list ---- it did not work for obvious reasons. Any idea? Many thanks for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Mon, 10/12/2009 - 07:06

Hello Stephen,

if swichport mode is dynamic desirable VTP domain must match on the two ends or the port goes back to access mode.

As far as I know this is the only option that can help to distinguish between a device under your administration and a device that is placed there by somebody else.

But in your environment you may have disabled VTP for its own security issues!

a mac-address access-list approach would need to list all possible known MAC addresses belonging to clients connected to the other switch.

Other swich port MAC address is only used as a source MAC for L2 signaling protocols like STP, DTP, CDP and so on.

These are transparent switches after all.

To be noted that with a good implementation of 802.1x in both switches you should be fine in practice.

Hope to help


stephen.sanyaol... Mon, 10/12/2009 - 07:14

VTP is generally used for Vlan management and its propagation which is not inline with this requirement. The essense of this layer 2 security requirement is to prevent a situation where a known switch with 802.1x configured on it replaced by a rogue switch with a rogue client plugged on it thereby bypassing the 802.1x implementation.

stephen.sanyaol... Mon, 10/12/2009 - 07:37

or does a feature that addresses this concern not available within the IOS? Any idea? Many thanks for your help.

Jon Marshall Wed, 10/14/2009 - 07:39


Sometimes a technical answer is not possible.

The most obvious answer is to ensure that your switches are locked in a secure place so that someone cannot just come along and replace the existing switch.

Is there a reason why these switches are not in a secure LAN room ?



This Discussion