Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
4
Replies

Trunk port

alanchia2000
Level 1
Level 1

‎09-03-2009 01:06 AM - edited ‎03-06-2019 07:33 AM

Hi,

I am planning to place a machine onto a trunk port. Are there a lot of security implications if I were to do that? Any idea what an attacker can do if he manages to get access to that box?

Labels:
0 Helpful
4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

‎09-03-2009 01:10 AM

Hello,

Placing a machine on a trunk port is equivalent to directly connecting it to all VLANs that are allowed on that trunk. Moreover, the security implications are heightened by the fact that this station has direct access to all VLANs and with wrong configuration, it can become a bridge or router between these VLANs so caution must be taken to prevent this if it is not desirable.

Is it necessary to have that station connected to a trunk port? Is that station capable of 802.1Q frame tagging?

Best regards,

Peter

0 Helpful

ktwaddell
Level 1
Level 1

‎09-03-2009 01:11 AM

Hi

when you say machine, do you mean a switch? and if not why does the port need to be trucked?

also you can password you're VTP domain!

0 Helpful

alanchia2000
Level 1
Level 1
In response to ktwaddell

‎09-03-2009 01:23 AM

This machine is a server and not a switch. The reason is that we need to virtualize some hosts and place it on different VLANs.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to alanchia2000

‎09-03-2009 01:42 AM

Hello,

It is not unusual to place a server which is 802.1Q-capable on a trunk for various purposes - routing on a stick, virtualization and so on. That's all OK. What you have to take into account is that the server indeed has a direct access to all VLANs on that trunk if some software is privileged enough to send arbitrarily tagged 802.1Q frames. Also a care should be taken to filter out BPDUs, DTP, VTP, CDP and similar frames on the trunk so that in case the server is compromised, no forged packets can be sent from it to disrupt the network operation.

Basically, there are two aspect here: the first aspect is that the server is in many VLANs at once. So the security implications here are the same as if the server had multiple NICs connected to different switches. The second aspect is that there are some service protocols running on a trunk (notably the VTP, DTP and PV(R)STP) that are not on normal access ports. These service protocols are usable and valid only between switches and they should not be sent or at least accepted from the server.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card