Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
1
Replies

Authenticating trunk ports?

Go to solution
CSchaatsbergen
Level 1
Level 1

‎02-16-2011 12:54 AM - edited ‎03-10-2019 05:49 PM

Hi all,

Perhaps a stupid question but I find myself unable to find a satisfying answer.

We have a couple of 3560 switches, all connected to 3750 stack. One  of those 3560 switches is in a semi-open place place and I have been  asked if that could be considered a security risk. Of course, it being  in an open place is a risk, but if someone where to unplug the trunk  connection to our stack and then plug it in another switch, what would  happen?

Should/could we authenticate trunk ports/channel-groups? I have all switches configured to authenticate ssh login and network (mac based) against a radius server, but I have not configured authentication on the trunk ports as I have found descriptions that dot1x cannot be enabled on trunk ports.

Thanks in advance

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎02-19-2011 11:50 PM

Hello

I would suggest the following:

>> Arrange for some physical enclosure (locked) or  any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.

>> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.

>> Change the NATIVE VLAN from the default (VLAN 1)

>> Disable Trunk negotiation (ON mode)

Regards

Farrukh

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎02-19-2011 11:50 PM

Hello

I would suggest the following:

>> Arrange for some physical enclosure (locked) or  any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.

>> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.

>> Change the NATIVE VLAN from the default (VLAN 1)

>> Disable Trunk negotiation (ON mode)

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents