Placing a machine on a trunk port is equivalent to directly connecting it to all VLANs that are allowed on that trunk. Moreover, the security implications are heightened by the fact that this station has direct access to all VLANs and with wrong configuration, it can become a bridge or router between these VLANs so caution must be taken to prevent this if it is not desirable.
Is it necessary to have that station connected to a trunk port? Is that station capable of 802.1Q frame tagging?
It is not unusual to place a server which is 802.1Q-capable on a trunk for various purposes - routing on a stick, virtualization and so on. That's all OK. What you have to take into account is that the server indeed has a direct access to all VLANs on that trunk if some software is privileged enough to send arbitrarily tagged 802.1Q frames. Also a care should be taken to filter out BPDUs, DTP, VTP, CDP and similar frames on the trunk so that in case the server is compromised, no forged packets can be sent from it to disrupt the network operation.
Basically, there are two aspect here: the first aspect is that the server is in many VLANs at once. So the security implications here are the same as if the server had multiple NICs connected to different switches. The second aspect is that there are some service protocols running on a trunk (notably the VTP, DTP and PV(R)STP) that are not on normal access ports. These service protocols are usable and valid only between switches and they should not be sent or at least accepted from the server.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...