https://community.cisco.com/t5/network-security/shutdown-ports-or-put-them-in-vlan/m-p/3096673#M907308 <P>Hi,</P> <P>Shutdown is the best and most secure option.</P> <P>If VLAN111 is enabled, users can abuse that VLAN to create there own uncontrolled private network.</P> <P>&nbsp;</P> <P>Just my 2 cents.</P> <P></P> <P>S.O.</P> Fri, 11 Aug 2017 21:54:47 GMT software_onbekend 2017-08-11T21:54:47Z https://community.cisco.com/t5/network-security/shutdown-ports-or-put-them-in-vlan/m-p/3096671#M907297 <P>Hello all,</P> <P>I have always read how it is the best security practice to put unused ports on switch/router into shutdown state. However, at work they put them in unused VLAN which serves just for this purpose.</P> <P><SPAN style="font-family: andale mono,monospace; font-size: 12pt;">The only config on that interface:</SPAN></P> <P><STRONG><SPAN style="font-family: terminal,monaco,monospace; font-size: 10pt;">#switchport mode access</SPAN></STRONG></P> <P><STRONG><SPAN style="font-family: terminal,monaco,monospace; font-size: 10pt;">#switchport access vlan 111</SPAN></STRONG></P> <P>By the way, VLAN 111 is active.</P> <P>I searched a lot on this topic but still do not have the answer. Is it a good security practice? And is it better than shutting down the ports?</P> <P>Thank you very much for any help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P></P> <P></P> Fri, 21 Feb 2020 14:12:54 GMT https://community.cisco.com/t5/network-security/shutdown-ports-or-put-them-in-vlan/m-p/3096671#M907297 glogloglik 2020-02-21T14:12:54Z https://community.cisco.com/t5/network-security/shutdown-ports-or-put-them-in-vlan/m-p/3096672#M907304 <P>Personally I would shut them down. It's no more effort to enable versus change their VLAN when they are in use. In fact, you could argue 'no shut' is easier to type than 'switchport access vlan xx' &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I know in the case of auditors, they say ports should be disabled when not used. Some companies, and more highly restricted networks, specify that ports are not only shut down, but their network ports are completely unpatched from the switch as well.</P> <P>Back in the day of 'vlan hopping', shutdown was certainly the best method. I'd stick with it.</P> Sun, 06 Aug 2017 06:47:26 GMT https://community.cisco.com/t5/network-security/shutdown-ports-or-put-them-in-vlan/m-p/3096672#M907304 Bobby Stojceski 2017-08-06T06:47:26Z https://community.cisco.com/t5/network-security/shutdown-ports-or-put-them-in-vlan/m-p/3096673#M907308 <P>Hi,</P> <P>Shutdown is the best and most secure option.</P> <P>If VLAN111 is enabled, users can abuse that VLAN to create there own uncontrolled private network.</P> <P>&nbsp;</P> <P>Just my 2 cents.</P> <P></P> <P>S.O.</P> Fri, 11 Aug 2017 21:54:47 GMT https://community.cisco.com/t5/network-security/shutdown-ports-or-put-them-in-vlan/m-p/3096673#M907308 software_onbekend 2017-08-11T21:54:47Z