Securing a Trunk Port

Unanswered Question
Oct 12th, 2009
User Badges:

I have two switches that are trunked. Switchports interface g0/1 (on switch A) and interface f0/1 (on switch B) are used for trunking. There is a requirement to secure a trunk port g0/1 without using port security feature as this affects the end-user clients connected to ports on switch B. The end user client are being authenticated already by 802.1x. What I want is just the securing switch A int g0/1 NOT the end user client such that if the a new switch is plugged into switch A, the port g0/1 will not pass traffic. Note: I have tried using mac access-list to match the mac-address of int g0/1 and f0/1 and a deny any any at the end of the access-list ---- it did not work for obvious reasons. Any idea? Many thanks for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 10/12/2009 - 07:06
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Stephen,

if swichport mode is dynamic desirable VTP domain must match on the two ends or the port goes back to access mode.

As far as I know this is the only option that can help to distinguish between a device under your administration and a device that is placed there by somebody else.

But in your environment you may have disabled VTP for its own security issues!


a mac-address access-list approach would need to list all possible known MAC addresses belonging to clients connected to the other switch.

Other swich port MAC address is only used as a source MAC for L2 signaling protocols like STP, DTP, CDP and so on.

These are transparent switches after all.

To be noted that with a good implementation of 802.1x in both switches you should be fine in practice.


Hope to help

Giuseppe



stephen.sanyaol... Mon, 10/12/2009 - 07:14
User Badges:

VTP is generally used for Vlan management and its propagation which is not inline with this requirement. The essense of this layer 2 security requirement is to prevent a situation where a known switch with 802.1x configured on it replaced by a rogue switch with a rogue client plugged on it thereby bypassing the 802.1x implementation.

stephen.sanyaol... Mon, 10/12/2009 - 07:37
User Badges:

or does a feature that addresses this concern not available within the IOS? Any idea? Many thanks for your help.

Jon Marshall Wed, 10/14/2009 - 07:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Stephen


Sometimes a technical answer is not possible.


The most obvious answer is to ensure that your switches are locked in a secure place so that someone cannot just come along and replace the existing switch.


Is there a reason why these switches are not in a secure LAN room ?


Jon

Actions

This Discussion