cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1012
Views
7
Helpful
13
Replies

Switchport Trunk Security Concerns

Red Taco
Level 1
Level 1

We are discussing the best way to place PCs onto their desired VLAN. It has been offered that we make all switchports trunks and do VLAN tagging from the PC NICs. How dangerous is this from the perspective that all switchports would be trunks?

1 Accepted Solution

Accepted Solutions

Right.

   I dont see, from the security perspect, difference between access and trunk.   But, sounds to me a bit weird and you have better solution out there available. For example, if you deploy a radius server you would have feature able to identify the PC and assign the proper vlan dont matter where the device is connected. And with that, you also could benefit from features like dynamic ACL, port-control , MAB, etc. 

View solution in original post

13 Replies 13

@Red Taco thats a lot of effort to configure the PCs NIC to tag a VLAN. The standard way is to explictly configure the switchport connected to the PC as an access port and disable DTP, to ensure the PC does not attempt to negotiate a trunk automatically.

switchport mode access
switchport access vlan X
switchport nonegotiate

If you want to dynamically assign VLANs then you can assign the computer to the VLAN from a RADIUS if using 802.1X.

 

That's the method I would typically use, but we have PCs that move around a lot and we're looking for a less manual method - something we could do once and would work no matter where the PC is moved (even another physical site using the same VLANs).

@Red Taco I would say there would be a huge administrative overhead manually configuring the PCs to trunk VLANs. As I previously mentioned you could use a dynamic solution such as ISE to authenticate, track the user/IP and assign a VLAN. Or depending on the size of your network, perhaps consider SDA fabric. 

You are correct, the cisco high recommend not assign trunk to access port and disable DTP. 
let him try hope he will not under attack and loss SW connectivity. 
Thanks 

MHM

Hi

 First you need to make sure you PCs supports tag, not all does. But, the proper way to put PCs in their vlans is by using the access mode.   I dont think it is dangerous to have all ports in trunk mode but it not necessary. 

 The standard is trunk connects switches and routers and access PCs and servers.

https://www.ciscopress.com/articles/article.asp?p=1681033&seqNum=3

this security issue and it can lead to VLAN hopping attack 

Red Taco
Level 1
Level 1

That's the method I would typically use, but we have PCs that move around a lot and we're looking for a less manual method - something we could do once and would work no matter where the PC is moved (even another physical site using the same VLANs).

check below

Then you should consider wifi.

But the question I do is, does thoses PCs supports tag?  I dont think this is a very common feature on PCs..

We're in the process of checking NIC drivers for VLAN tagging features but I wanted to check for security concerns before we get too far down that path.

Right.

   I dont see, from the security perspect, difference between access and trunk.   But, sounds to me a bit weird and you have better solution out there available. For example, if you deploy a radius server you would have feature able to identify the PC and assign the proper vlan dont matter where the device is connected. And with that, you also could benefit from features like dynamic ACL, port-control , MAB, etc. 

Thanks, I do think that's the best solution.

Review Cisco Networking for a $25 gift card