cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Lockdown Cisco SDWAN vedge/cedge service side port

My customer has several Cisco SDWAN (Viptela) sites that consist of a single vEdge/cEdge router and a single layer 2 switch. A single service side vEdge/cEdge port is connected to the switch and is in VPN1. These sites are in locations that are shared with other "sister" organizations. This has occasionally caused problems where one of the personnel from a "sister" organization unplugs the switch from the vEdge/cEdge and plugs in their own device. It's not done maliciously but as you can expect it causes problems.

 

What is the recommended way for a vEdge or cEdge service side port to protected from this such that it is disabled or at a minimum does not allow the foreign device to actually be able to use the port?

 

Thanks for any guidance.

 

 

8 REPLIES 8

Flavio Miranda
Advisor
Advisor

Hi

 The closest I can get from a solution for this is port-security.  But, it will not presend anyone from take the switch, of course. For that, you can use a locker, for example With port-security you could stick the router mac address ont the switch uplink and only that router would be permited to connect on the switch uplink.

 If you can lock the switch config, then, no one would be able to use another port to create uplinks.   Switch must have a user and password that only you have control.

 

 

 

 

balaji.bandi
VIP Guru VIP Guru
VIP Guru

sticky mac address or put eem script to check allowed MAC address and shutdown the port.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I don't think either of these responses would work for our problem. We need to lock down the port on the vEdge/cEdge router, not the port on the switch. Also, it looks like SDWAN port security is not supported in the vEdge routers or the ISR1100 cEdge routers.

 

Please correct me if I'm wrong.

Flavio Miranda
Advisor
Advisor

Actually, you did not understand. If you configure port-security on the switch side and stick the router mac address, they can not connect another router there. I did not suggest port-security on the router side.

But, this is not a perfect solution I know. 

Understood Flavio, but your solution would not preclude someone from connecting another switch to the router port. That is the concern.

Flavio Miranda
Advisor
Advisor

Agreed Flavio, but it seems SDWAN port security is not supported for vEdge devices or ISR1100 devices, which are the routers my customer uses.

Flavio Miranda
Advisor
Advisor

Yes, it doesn´t.  Then, you can´t do much. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: