Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
968
Views
0
Helpful
5
Replies

Securing a Trunk Port

stephen.sanyaolu
Level 1
Level 1

‎10-12-2009 06:54 AM - edited ‎03-06-2019 08:05 AM

I have two switches that are trunked. Switchports interface g0/1 (on switch A) and interface f0/1 (on switch B) are used for trunking. There is a requirement to secure a trunk port g0/1 without using port security feature as this affects the end-user clients connected to ports on switch B. The end user client are being authenticated already by 802.1x. What I want is just the securing switch A int g0/1 NOT the end user client such that if the a new switch is plugged into switch A, the port g0/1 will not pass traffic. Note: I have tried using mac access-list to match the mac-address of int g0/1 and f0/1 and a deny any any at the end of the access-list ---- it did not work for obvious reasons. Any idea? Many thanks for your help.

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎10-12-2009 07:06 AM

Hello Stephen,

if swichport mode is dynamic desirable VTP domain must match on the two ends or the port goes back to access mode.

As far as I know this is the only option that can help to distinguish between a device under your administration and a device that is placed there by somebody else.

But in your environment you may have disabled VTP for its own security issues!

a mac-address access-list approach would need to list all possible known MAC addresses belonging to clients connected to the other switch.

Other swich port MAC address is only used as a source MAC for L2 signaling protocols like STP, DTP, CDP and so on.

These are transparent switches after all.

To be noted that with a good implementation of 802.1x in both switches you should be fine in practice.

Hope to help

Giuseppe

0 Helpful

stephen.sanyaolu
Level 1
Level 1
In response to Giuseppe Larosa

‎10-12-2009 07:14 AM

VTP is generally used for Vlan management and its propagation which is not inline with this requirement. The essense of this layer 2 security requirement is to prevent a situation where a known switch with 802.1x configured on it replaced by a rogue switch with a rogue client plugged on it thereby bypassing the 802.1x implementation.

0 Helpful

stephen.sanyaolu
Level 1
Level 1
In response to stephen.sanyaolu

‎10-12-2009 07:37 AM

or does a feature that addresses this concern not available within the IOS? Any idea? Many thanks for your help.

0 Helpful

stephen.sanyaolu
Level 1
Level 1
In response to stephen.sanyaolu

‎10-14-2009 07:26 AM

any help? any idea? many thanks

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to stephen.sanyaolu

‎10-14-2009 07:39 AM

Stephen

Sometimes a technical answer is not possible.

The most obvious answer is to ensure that your switches are locked in a secure place so that someone cannot just come along and replace the existing switch.

Is there a reason why these switches are not in a secure LAN room ?

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card