Solved: Re: Switchport Trunk Security Concerns

Red Taco · ‎05-22-2023

We are discussing the best way to place PCs onto their desired VLAN. It has been offered that we make all switchports trunks and do VLAN tagging from the PC NICs. How dangerous is this from the perspective that all switchports would be trunks?

Flavio Miranda · ‎05-22-2023

Right.

I dont see, from the security perspect, difference between access and trunk. But, sounds to me a bit weird and you have better solution out there available. For example, if you deploy a radius server you would have feature able to identify the PC and assign the proper vlan dont matter where the device is connected. And with that, you also could benefit from features like dynamic ACL, port-control , MAB, etc.

View solution in original post

Rob Ingram · ‎05-22-2023

@Red Taco thats a lot of effort to configure the PCs NIC to tag a VLAN. The standard way is to explictly configure the switchport connected to the PC as an access port and disable DTP, to ensure the PC does not attempt to negotiate a trunk automatically.

switchport mode access
switchport access vlan X
switchport nonegotiate

If you want to dynamically assign VLANs then you can assign the computer to the VLAN from a RADIUS if using 802.1X.

Red Taco · ‎05-22-2023

That's the method I would typically use, but we have PCs that move around a lot and we're looking for a less manual method - something we could do once and would work no matter where the PC is moved (even another physical site using the same VLANs).

Rob Ingram · ‎05-22-2023

@Red Taco I would say there would be a huge administrative overhead manually configuring the PCs to trunk VLANs. As I previously mentioned you could use a dynamic solution such as ISE to authenticate, track the user/IP and assign a VLAN. Or depending on the size of your network, perhaps consider SDA fabric.

MHM Cisco World · ‎05-22-2023

You are correct, the cisco high recommend not assign trunk to access port and disable DTP.
let him try hope he will not under attack and loss SW connectivity.
Thanks

MHM

Flavio Miranda · ‎05-22-2023

Hi

First you need to make sure you PCs supports tag, not all does. But, the proper way to put PCs in their vlans is by using the access mode. I dont think it is dangerous to have all ports in trunk mode but it not necessary.

The standard is trunk connects switches and routers and access PCs and servers.

MHM Cisco World · ‎05-22-2023

https://www.ciscopress.com/articles/article.asp?p=1681033&seqNum=3

this security issue and it can lead to VLAN hopping attack

Red Taco · ‎05-22-2023

That's the method I would typically use, but we have PCs that move around a lot and we're looking for a less manual method - something we could do once and would work no matter where the PC is moved (even another physical site using the same VLANs).

MHM Cisco World · ‎05-22-2023

check below

MHM Cisco World · ‎05-22-2023

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ewa/configuration/guide/vmps.html

there is OLD tech called dynamic VLAN membership check it
otherwise you need dot1x

Flavio Miranda · ‎05-22-2023

Then you should consider wifi.

But the question I do is, does thoses PCs supports tag? I dont think this is a very common feature on PCs..

Red Taco · ‎05-22-2023

We're in the process of checking NIC drivers for VLAN tagging features but I wanted to check for security concerns before we get too far down that path.

Flavio Miranda · ‎05-22-2023

Right.

I dont see, from the security perspect, difference between access and trunk. But, sounds to me a bit weird and you have better solution out there available. For example, if you deploy a radius server you would have feature able to identify the PC and assign the proper vlan dont matter where the device is connected. And with that, you also could benefit from features like dynamic ACL, port-control , MAB, etc.

Red Taco · ‎05-22-2023

Thanks, I do think that's the best solution.