topic Switchport Trunk Security Concerns in Network Security

Switchport Trunk Security Concerns

Red Taco — Mon, 22 May 2023 18:40:40 GMT

We are discussing the best way to place PCs onto their desired VLAN. It has been offered that we make all switchports trunks and do VLAN tagging from the PC NICs. How dangerous is this from the perspective that all switchports would be trunks?

Re: Switchport Trunk Security Concerns

Rob Ingram — Mon, 22 May 2023 18:48:14 GMT

@Red Taco thats a lot of effort to configure the PCs NIC to tag a VLAN. The standard way is to explictly configure the switchport connected to the PC as an access port and disable DTP, to ensure the PC does not attempt to negotiate a trunk automatically.

switchport mode access
switchport access vlan X
switchport nonegotiate

If you want to dynamically assign VLANs then you can assign the computer to the VLAN from a RADIUS if using 802.1X.

Re: Switchport Trunk Security Concerns

Flavio Miranda — Mon, 22 May 2023 18:49:09 GMT

First you need to make sure you PCs supports tag, not all does. But, the proper way to put PCs in their vlans is by using the access mode. I dont think it is dangerous to have all ports in trunk mode but it not necessary.

The standard is trunk connects switches and routers and access PCs and servers.

Re: Switchport Trunk Security Concerns

MHM Cisco World — Mon, 22 May 2023 18:50:07 GMT

https://www.ciscopress.com/articles/article.asp?p=1681033&seqNum=3

this security issue and it can lead to VLAN hopping attack

Re: Switchport Trunk Security Concerns

Red Taco — Mon, 22 May 2023 18:51:33 GMT

That's the method I would typically use, but we have PCs that move around a lot and we're looking for a less manual method - something we could do once and would work no matter where the PC is moved (even another physical site using the same VLANs).

Re: Switchport Trunk Security Concerns

MHM Cisco World — Mon, 22 May 2023 19:29:43 GMT

check below

Re: Switchport Trunk Security Concerns

Red Taco — Mon, 22 May 2023 18:56:32 GMT

Re: Switchport Trunk Security Concerns

Flavio Miranda — Mon, 22 May 2023 18:56:42 GMT

Then you should consider wifi.

But the question I do is, does thoses PCs supports tag? I dont think this is a very common feature on PCs..

Re: Switchport Trunk Security Concerns

MHM Cisco World — Mon, 22 May 2023 18:57:08 GMT

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ewa/configuration/guide/vmps.html

there is OLD tech called dynamic VLAN membership check it
otherwise you need dot1x

Re: Switchport Trunk Security Concerns

Red Taco — Mon, 22 May 2023 18:58:35 GMT

We're in the process of checking NIC drivers for VLAN tagging features but I wanted to check for security concerns before we get too far down that path.

Re: Switchport Trunk Security Concerns

Flavio Miranda — Mon, 22 May 2023 19:12:21 GMT

Right.

I dont see, from the security perspect, difference between access and trunk. But, sounds to me a bit weird and you have better solution out there available. For example, if you deploy a radius server you would have feature able to identify the PC and assign the proper vlan dont matter where the device is connected. And with that, you also could benefit from features like dynamic ACL, port-control , MAB, etc.

Re: Switchport Trunk Security Concerns

Rob Ingram — Mon, 22 May 2023 19:12:42 GMT

@Red Taco I would say there would be a huge administrative overhead manually configuring the PCs to trunk VLANs. As I previously mentioned you could use a dynamic solution such as ISE to authenticate, track the user/IP and assign a VLAN. Or depending on the size of your network, perhaps consider SDA fabric.

Re: Switchport Trunk Security Concerns

Red Taco — Mon, 22 May 2023 19:13:24 GMT

Thanks, I do think that's the best solution.

Re: Switchport Trunk Security Concerns

MHM Cisco World — Mon, 22 May 2023 19:18:53 GMT

You are correct, the cisco high recommend not assign trunk to access port and disable DTP.
let him try hope he will not under attack and loss SW connectivity.
Thanks

MHM