10-12-2009 06:54 AM - edited 03-06-2019 08:05 AM
I have two switches that are trunked. Switchports interface g0/1 (on switch A) and interface f0/1 (on switch B) are used for trunking. There is a requirement to secure a trunk port g0/1 without using port security feature as this affects the end-user clients connected to ports on switch B. The end user client are being authenticated already by 802.1x. What I want is just the securing switch A int g0/1 NOT the end user client such that if the a new switch is plugged into switch A, the port g0/1 will not pass traffic. Note: I have tried using mac access-list to match the mac-address of int g0/1 and f0/1 and a deny any any at the end of the access-list ---- it did not work for obvious reasons. Any idea? Many thanks for your help.
10-12-2009 07:06 AM
Hello Stephen,
if swichport mode is dynamic desirable VTP domain must match on the two ends or the port goes back to access mode.
As far as I know this is the only option that can help to distinguish between a device under your administration and a device that is placed there by somebody else.
But in your environment you may have disabled VTP for its own security issues!
a mac-address access-list approach would need to list all possible known MAC addresses belonging to clients connected to the other switch.
Other swich port MAC address is only used as a source MAC for L2 signaling protocols like STP, DTP, CDP and so on.
These are transparent switches after all.
To be noted that with a good implementation of 802.1x in both switches you should be fine in practice.
Hope to help
Giuseppe
10-12-2009 07:14 AM
VTP is generally used for Vlan management and its propagation which is not inline with this requirement. The essense of this layer 2 security requirement is to prevent a situation where a known switch with 802.1x configured on it replaced by a rogue switch with a rogue client plugged on it thereby bypassing the 802.1x implementation.
10-12-2009 07:37 AM
or does a feature that addresses this concern not available within the IOS? Any idea? Many thanks for your help.
10-14-2009 07:26 AM
any help? any idea? many thanks
10-14-2009 07:39 AM
Stephen
Sometimes a technical answer is not possible.
The most obvious answer is to ensure that your switches are locked in a secure place so that someone cannot just come along and replace the existing switch.
Is there a reason why these switches are not in a secure LAN room ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide