From: Todd Veillette (tveillette@myeastern.com)
Date: Fri Dec 23 2005 - 02:32:40 GMT-3
As another option, is put all common areas in the proverbial internet only
vlan - out of band in our case. Its is dynamic for trusted users as we VPN
to what ever network as need dictates.
-TV
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'Curt Girardin'" <curt.girardin@chicos.com>; <ccielab@groupstudy.com>
Sent: Thursday, December 22, 2005 9:23 AM
Subject: RE: Secure trunk links
> Well... I guess the first thing I'd ask you is why you wanted to put a
> trunk into a conference room anyway... :)
>
> VPMS isn't bad, providing you have a server. But that's not a trunk port.
> That's a dynamically assigned access vlan.
>
> 802.1X requires client software. Other switches don't have client
> software.
> So that doesn't help.
>
> Being that you're a trunk port you're moving things at Layer 2 which means
> you won't rewrite the MAC headers for everything, so MAC-based port
> security
> likely isn't a help. (besides, I believe it's not allowed on trunk ports,
> at least not earlier IOS releases and certain switch types). There are
> very
> specific requirements for when port security is allowed on a trunk, and
> that
> just covers a MAC list in general not the specific one connected on the
> other side of the link.
>
> Soooo... From a security perspective, you shouldn't have dynamic ports at
> all. You shouldn't have trunk ports in open areas. If you have some true
> need to enable trunking to some area like a conference room, I would set
> it
> up to only allow particular VLANs across (whatever one(s) are truly
> needed)
> and make sure that I designed the network so that they are different than
> any of my other VLANs. That way you can have routing filters in place to
> restrict traffic and make sure you don't have some malicious user lurking
> around.
>
> There's not really any pat answer there. But you need to assess what is
> supposed to be happening.
>
> HTH,
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Curt
> Girardin
> Sent: Thursday, December 22, 2005 8:11 AM
> To: ccielab@groupstudy.com
> Subject: Secure trunk links
>
> Team,
>
> Is there a way to authenticate or secure a trunk link between switches?
> I'm not talking about VTP, but the links themselves...
>
> For example, every switchport in my business is running either
> port-security, VMPS, or 802.1x to keep the bad guys out.... If I put a
> switch into a public area, such as a conference room, there is nothing
> preventing a malicious user from plugging into the trunk port that feeds
> the
> switch in the conference room and having full-access to the network.
>
> Thanks,
>
> Curt
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:52 GMT-3