RE: Secure trunk links

From: Scott Morris (swm@emanon.com)
Date: Thu Dec 22 2005 - 11:23:04 GMT-3

• Next message: Tony Schaffran: "RE: ssh timeout"
• Previous message: James Ventre: "Re: Secure trunk links"
• Maybe in reply to: Curt Girardin: "Secure trunk links"
• Next in thread: Niche: "Re: Secure trunk links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well... I guess the first thing I'd ask you is why you wanted to put a
trunk into a conference room anyway... :)

VPMS isn't bad, providing you have a server. But that's not a trunk port.
That's a dynamically assigned access vlan.

802.1X requires client software. Other switches don't have client software.
So that doesn't help.

Being that you're a trunk port you're moving things at Layer 2 which means
you won't rewrite the MAC headers for everything, so MAC-based port security
likely isn't a help. (besides, I believe it's not allowed on trunk ports,
at least not earlier IOS releases and certain switch types). There are very
specific requirements for when port security is allowed on a trunk, and that
just covers a MAC list in general not the specific one connected on the
other side of the link.

Soooo... From a security perspective, you shouldn't have dynamic ports at
all. You shouldn't have trunk ports in open areas. If you have some true
need to enable trunking to some area like a conference room, I would set it
up to only allow particular VLANs across (whatever one(s) are truly needed)
and make sure that I designed the network so that they are different than
any of my other VLANs. That way you can have routing filters in place to
restrict traffic and make sure you don't have some malicious user lurking
around.

There's not really any pat answer there. But you need to assess what is
supposed to be happening.

HTH,

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Curt
Girardin
Sent: Thursday, December 22, 2005 8:11 AM
To: ccielab@groupstudy.com
Subject: Secure trunk links

Team,

Is there a way to authenticate or secure a trunk link between switches?
I'm not talking about VTP, but the links themselves...

For example, every switchport in my business is running either
port-security, VMPS, or 802.1x to keep the bad guys out.... If I put a
switch into a public area, such as a conference room, there is nothing
preventing a malicious user from plugging into the trunk port that feeds the
switch in the conference room and having full-access to the network.

Thanks,

Curt

• Next message: Tony Schaffran: "RE: ssh timeout"
• Previous message: James Ventre: "Re: Secure trunk links"
• Maybe in reply to: Curt Girardin: "Secure trunk links"
• Next in thread: Niche: "Re: Secure trunk links"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3