Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
917
Views
0
Helpful
8
Replies

Lockdown Cisco SDWAN vedge/cedge service side port

PatrickCavell85782
Level 1
Level 1

‎04-28-2022 03:14 PM

My customer has several Cisco SDWAN (Viptela) sites that consist of a single vEdge/cEdge router and a single layer 2 switch. A single service side vEdge/cEdge port is connected to the switch and is in VPN1. These sites are in locations that are shared with other "sister" organizations. This has occasionally caused problems where one of the personnel from a "sister" organization unplugs the switch from the vEdge/cEdge and plugs in their own device. It's not done maliciously but as you can expect it causes problems.

 

What is the recommended way for a vEdge or cEdge service side port to protected from this such that it is disabled or at a minimum does not allow the foreign device to actually be able to use the port?

 

Thanks for any guidance.

 

 

Labels:
0 Helpful
8 Replies 8

Flavio Miranda
VIP
VIP

‎04-28-2022 03:48 PM - edited ‎04-28-2022 03:49 PM

Hi

 The closest I can get from a solution for this is port-security.  But, it will not presend anyone from take the switch, of course. For that, you can use a locker, for example With port-security you could stick the router mac address ont the switch uplink and only that router would be permited to connect on the switch uplink.

 If you can lock the switch config, then, no one would be able to use another port to create uplinks.   Switch must have a user and password that only you have control.

 

 

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎04-28-2022 04:21 PM

sticky mac address or put eem script to check allowed MAC address and shutdown the port.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

PatrickCavell85782
Level 1
Level 1

‎05-02-2022 11:10 AM

I don't think either of these responses would work for our problem. We need to lock down the port on the vEdge/cEdge router, not the port on the switch. Also, it looks like SDWAN port security is not supported in the vEdge routers or the ISR1100 cEdge routers.

 

Please correct me if I'm wrong.

0 Helpful

Flavio Miranda
VIP
VIP

‎05-02-2022 11:24 AM

Actually, you did not understand. If you configure port-security on the switch side and stick the router mac address, they can not connect another router there. I did not suggest port-security on the router side.

But, this is not a perfect solution I know. 

0 Helpful

PatrickCavell85782
Level 1
Level 1

‎05-02-2022 11:29 AM

Understood Flavio, but your solution would not preclude someone from connecting another switch to the router port. That is the concern.

0 Helpful

PatrickCavell85782
Level 1
Level 1

‎05-02-2022 11:53 AM

Agreed Flavio, but it seems SDWAN port security is not supported for vEdge devices or ISR1100 devices, which are the routers my customer uses.

0 Helpful

Flavio Miranda
VIP
VIP

‎05-02-2022 12:02 PM

Yes, it doesn´t.  Then, you can´t do much. 

0 Helpful
Customers Also Viewed These Support Documents