Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Securing Trunk Links

Hi all,

Is there any way to secure trunk links?

More specifically, to secure them so that someone can't unplug the switch and connect a PC that speaks 802.1q to gain access to any VLAN.

It is possible to use port security or port access lists on the uplink port with a big list of MAC addresses but that doesn't play nicely with dynamic VLANs and isn't the easiest to manage, are there any other methods?

Hall of Fame Super Bronze

Re: Securing Trunk Links

By default the PC will try to negotiate the trunk with VLAN 1. All you have to do is change the native VLAN in the trunk to something other than VLAN 1.

Both devices must agree on the native VLAN, else the trunk will never form.

New Member

Re: Securing Trunk Links

Thanks for the reply Edison,

Is there a method of error disabling the port after a certain amount of native VLAN mismatches? Otherwise it may be possible to find the native VLAN by a brute force attack.

It's a shame that dot1x (802.1x) doesn't work on trunk links, that sounds like it would be a nice solution.