Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Trunk port

Hi,

I am planning to place a machine onto a trunk port. Are there a lot of security implications if I were to do that? Any idea what an attacker can do if he manages to get access to that box?

4 REPLIES
Cisco Employee

Re: Trunk port

Hello,

Placing a machine on a trunk port is equivalent to directly connecting it to all VLANs that are allowed on that trunk. Moreover, the security implications are heightened by the fact that this station has direct access to all VLANs and with wrong configuration, it can become a bridge or router between these VLANs so caution must be taken to prevent this if it is not desirable.

Is it necessary to have that station connected to a trunk port? Is that station capable of 802.1Q frame tagging?

Best regards,

Peter

New Member

Re: Trunk port

Hi

when you say machine, do you mean a switch? and if not why does the port need to be trucked?

also you can password you're VTP domain!

New Member

Re: Trunk port

This machine is a server and not a switch. The reason is that we need to virtualize some hosts and place it on different VLANs.

Cisco Employee

Re: Trunk port

Hello,

It is not unusual to place a server which is 802.1Q-capable on a trunk for various purposes - routing on a stick, virtualization and so on. That's all OK. What you have to take into account is that the server indeed has a direct access to all VLANs on that trunk if some software is privileged enough to send arbitrarily tagged 802.1Q frames. Also a care should be taken to filter out BPDUs, DTP, VTP, CDP and similar frames on the trunk so that in case the server is compromised, no forged packets can be sent from it to disrupt the network operation.

Basically, there are two aspect here: the first aspect is that the server is in many VLANs at once. So the security implications here are the same as if the server had multiple NICs connected to different switches. The second aspect is that there are some service protocols running on a trunk (notably the VTP, DTP and PV(R)STP) that are not on normal access ports. These service protocols are usable and valid only between switches and they should not be sent or at least accepted from the server.

Best regards,

Peter

140
Views
0
Helpful
4
Replies
CreatePlease to create content