Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing a Trunk Port

I have two switches that are trunked. Switchports interface g0/1 (on switch A) and interface f0/1 (on switch B) are used for trunking. There is a requirement to secure a trunk port g0/1 without using port security feature as this affects the end-user clients connected to ports on switch B. The end user client are being authenticated already by 802.1x. What I want is just the securing switch A int g0/1 NOT the end user client such that if the a new switch is plugged into switch A, the port g0/1 will not pass traffic. Note: I have tried using mac access-list to match the mac-address of int g0/1 and f0/1 and a deny any any at the end of the access-list ---- it did not work for obvious reasons. Any idea? Many thanks for your help.

Hall of Fame Super Silver

Re: Securing a Trunk Port

Hello Stephen,

if swichport mode is dynamic desirable VTP domain must match on the two ends or the port goes back to access mode.

As far as I know this is the only option that can help to distinguish between a device under your administration and a device that is placed there by somebody else.

But in your environment you may have disabled VTP for its own security issues!

a mac-address access-list approach would need to list all possible known MAC addresses belonging to clients connected to the other switch.

Other swich port MAC address is only used as a source MAC for L2 signaling protocols like STP, DTP, CDP and so on.

These are transparent switches after all.

To be noted that with a good implementation of 802.1x in both switches you should be fine in practice.

Hope to help


New Member

Re: Securing a Trunk Port

VTP is generally used for Vlan management and its propagation which is not inline with this requirement. The essense of this layer 2 security requirement is to prevent a situation where a known switch with 802.1x configured on it replaced by a rogue switch with a rogue client plugged on it thereby bypassing the 802.1x implementation.

New Member

Re: Securing a Trunk Port

or does a feature that addresses this concern not available within the IOS? Any idea? Many thanks for your help.

New Member

Re: Securing a Trunk Port

any help? any idea? many thanks

Hall of Fame Super Blue

Re: Securing a Trunk Port


Sometimes a technical answer is not possible.

The most obvious answer is to ensure that your switches are locked in a secure place so that someone cannot just come along and replace the existing switch.

Is there a reason why these switches are not in a secure LAN room ?