Disabling unused access ports

Unanswered Question
Sep 30th, 2010
User Badges:

I have about 185 or so 3750's all runing 12.2(50) IOS. I was hoping someone here could help. We are very big on Layer 2 security and are in the process of implementing 802.1x. We have been disabling ports manually and putting them in a dead Vlan whenever a port shows not connected.  Is there any way to have the switch do that automatically or can CiscoWorks LMS 3.2 do this? All help is greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jason Masker Thu, 09/30/2010 - 19:50
User Badges:
  • Bronze, 100 points or more

Why do you prefer a dead vlan to just shutting the port? If you implement 802.1x, there is the concept of a guest vlan where unauthenticated clients are connected to an alternate vlan if they do not authenticate with a certificate.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.pdf

Marko Leopold Fri, 10/01/2010 - 01:16
User Badges:

I guess he means the situation, when no

client is connected to the port. your situations descripes when a client is using dot1x but is not authorized. anyway i g

uess it will be the easiest thing if you set the switchport access vlan to an unused vlan.

and if you disable the vlan on the trunks, your clients won't have any connection there. other thing to use is the embedded event manager, but you have to update to 12.3 or 12.4 for this. but there you can configure the port dynamicly with whatever you want if the port goes up or down. there are some breakouts from cisco live where you can find informations about it.

Peter Paluch Fri, 10/01/2010 - 03:26
User Badges:
  • Cisco Employee,

Jason,


Your internal security policies may mandate that an unused port must be protected by several layers to disallow access to the network. I routinely recommend doing this:


  1. Make the port a static access port and move it in a dedicated "parking" VLAN.
  2. Make that VLAN both lshut (using the shutdown command) and suspended (the state suspend command)
  3. Shutdown the port itself.


I admit - it is repetitive and largely redundant but significantly more foolproof at the same time


Best regards,

Peter

Actions

This Discussion