cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18278
Views
0
Helpful
3
Replies

Disabling unused access ports

ANDAFBCCO
Level 1
Level 1

I have about 185 or so 3750's all runing 12.2(50) IOS. I was hoping someone here could help. We are very big on Layer 2 security and are in the process of implementing 802.1x. We have been disabling ports manually and putting them in a dead Vlan whenever a port shows not connected.  Is there any way to have the switch do that automatically or can CiscoWorks LMS 3.2 do this? All help is greatly appreciated.

3 Replies 3

Jason Masker
Level 1
Level 1

Why do you prefer a dead vlan to just shutting the port? If you implement 802.1x, there is the concept of a guest vlan where unauthenticated clients are connected to an alternate vlan if they do not authenticate with a certificate.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.pdf

I guess he means the situation, when no

client is connected to the port. your situations descripes when a client is using dot1x but is not authorized. anyway i g

uess it will be the easiest thing if you set the switchport access vlan to an unused vlan.

and if you disable the vlan on the trunks, your clients won't have any connection there. other thing to use is the embedded event manager, but you have to update to 12.3 or 12.4 for this. but there you can configure the port dynamicly with whatever you want if the port goes up or down. there are some breakouts from cisco live where you can find informations about it.

Jason,

Your internal security policies may mandate that an unused port must be protected by several layers to disallow access to the network. I routinely recommend doing this:

  1. Make the port a static access port and move it in a dedicated "parking" VLAN.
  2. Make that VLAN both lshut (using the shutdown command) and suspended (the state suspend command)
  3. Shutdown the port itself.

I admit - it is repetitive and largely redundant but significantly more foolproof at the same time

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: