From: Niche (jackyliu419@gmail.com)
Date: Thu Dec 22 2005 - 11:54:35 GMT-3
Hi there,
My suggestion,
1. Set the switch vtp mode to transparent
2. Configure vtp password
3. Configure port-security
4. I agree with Scott and James. Trunk port? A switch in there? I can
almost foresee a network meltdown.. let's keep all ports in access and
access mode only
5. If service level is not a problem, configure root guard. If service
level is a concern, configuring bpdu-filter
6. Disable every unnecessary services
7. Furthermore, you can easily googling the secure template of switch
8. Configure RO only for SNMP or... disable it entirely, just use syslog
9. Allow only necessary VLANs in the uplink trunk
There should be a few more consideration but, at the end of the day,
it's really depend on your business requirement.
Best Regards,
Jacky
On 12/22/05, Scott Morris <swm@emanon.com> wrote:
> Well... I guess the first thing I'd ask you is why you wanted to put a
> trunk into a conference room anyway... :)
>
> VPMS isn't bad, providing you have a server. But that's not a trunk port.
> That's a dynamically assigned access vlan.
>
> 802.1X requires client software. Other switches don't have client software.
> So that doesn't help.
>
> Being that you're a trunk port you're moving things at Layer 2 which means
> you won't rewrite the MAC headers for everything, so MAC-based port security
> likely isn't a help. (besides, I believe it's not allowed on trunk ports,
> at least not earlier IOS releases and certain switch types). There are very
> specific requirements for when port security is allowed on a trunk, and that
> just covers a MAC list in general not the specific one connected on the
> other side of the link.
>
> Soooo... From a security perspective, you shouldn't have dynamic ports at
> all. You shouldn't have trunk ports in open areas. If you have some true
> need to enable trunking to some area like a conference room, I would set it
> up to only allow particular VLANs across (whatever one(s) are truly needed)
> and make sure that I designed the network so that they are different than
> any of my other VLANs. That way you can have routing filters in place to
> restrict traffic and make sure you don't have some malicious user lurking
> around.
>
> There's not really any pat answer there. But you need to assess what is
> supposed to be happening.
>
> HTH,
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Curt
> Girardin
> Sent: Thursday, December 22, 2005 8:11 AM
> To: ccielab@groupstudy.com
> Subject: Secure trunk links
>
> Team,
>
> Is there a way to authenticate or secure a trunk link between switches?
> I'm not talking about VTP, but the links themselves...
>
> For example, every switchport in my business is running either
> port-security, VMPS, or 802.1x to keep the bad guys out.... If I put a
> switch into a public area, such as a conference room, there is nothing
> preventing a malicious user from plugging into the trunk port that feeds the
> switch in the conference room and having full-access to the network.
>
> Thanks,
>
> Curt
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3