Hello Fellow Networkers,
In my current configuration a 2K/3K switch obtains a DHCP address across the pnp controlled native VLAN 666. The adjacent sub-interface on the directly attached ISR is configured with “encapsulation native vlan 666”. Plug and play deploys successfully; however, I’m trying to mitigate the security risk associated with an intruder getting DHCP serviced VLAN 666 access just by attaching a laptop.
Endeavours so far have involved PnP deploying a switch configuration trunking VLAN 666 and then using a EEM tcl script to amend the ISR sub-interface encapsulation upon receipt of a syslog %LINEPROTO-5-UPDOWN message.
Any advice on the Cisco promoted best practice would be very much appreciated
Thank you in anticipation