Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Disabling unused access ports

I have about 185 or so 3750's all runing 12.2(50) IOS. I was hoping someone here could help. We are very big on Layer 2 security and are in the process of implementing 802.1x. We have been disabling ports manually and putting them in a dead Vlan whenever a port shows not connected.  Is there any way to have the switch do that automatically or can CiscoWorks LMS 3.2 do this? All help is greatly appreciated.

3 REPLIES

Re: Disabling unused access ports

Why do you prefer a dead vlan to just shutting the port? If you implement 802.1x, there is the concept of a guest vlan where unauthenticated clients are connected to an alternate vlan if they do not authenticate with a certificate.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.pdf

New Member

Re: Disabling unused access ports

I guess he means the situation, when no

client is connected to the port. your situations descripes when a client is using dot1x but is not authorized. anyway i g

uess it will be the easiest thing if you set the switchport access vlan to an unused vlan.

and if you disable the vlan on the trunks, your clients won't have any connection there. other thing to use is the embedded event manager, but you have to update to 12.3 or 12.4 for this. but there you can configure the port dynamicly with whatever you want if the port goes up or down. there are some breakouts from cisco live where you can find informations about it.

Cisco Employee

Re: Disabling unused access ports

Jason,

Your internal security policies may mandate that an unused port must be protected by several layers to disallow access to the network. I routinely recommend doing this:

  1. Make the port a static access port and move it in a dedicated "parking" VLAN.
  2. Make that VLAN both lshut (using the shutdown command) and suspended (the state suspend command)
  3. Shutdown the port itself.

I admit - it is repetitive and largely redundant but significantly more foolproof at the same time

Best regards,

Peter

2694
Views
0
Helpful
3
Replies
CreatePlease login to create content