Re: Secure trunk link Between Two Switches ( 2960 )

Davidesser · ‎07-15-2018

Hi all
We have problem about secure connection between two switch’s( 2960 24 pcl - pdl - psl) on trunk port .
For example, We have network with 50 switchs and 700 clinets.
The number of client is not fix , it is maybe inclease or discrease
In switch’s that are in access layer , Port security is actived for all of the ports ( exept trunk ports)
So it is a big problam on our networks’ secure.
If a person that is Aggressor , disconnet the trunk port and connect herself switch ( phisical). He can easily penetrate the our network and we can not doing confronting with this action .
switch work true when our switch connect to a specific switch ( according to our network switch map), otherwise trunk port of switch not work and blocked.
So How can we secure the connection between the switches?

Julio E. Moisa · ‎07-15-2018

Hi

I think there is no an adequate solution for this model, Usually the network devices are located into safe areas (data center, lan rooms, locked gabinets, etc) with cameras and any kind of security.

Now you could have alternative ways like: configure properly the logging to send emails once an action like that occurs, other way is generate an EEM script (if it is supported on your device) to shutdown the interface when the interface is disconnect and generate a messge.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Georg Pauwen · ‎07-15-2018

Hello,

do you have a VTP domain and password configured on all your switches ? This should usually be sufficient to prevent unauthorized switches to be added to your network...

Davidesser · ‎07-15-2018

Thank you,

yes we have VTP Domain.

Georg Pauwen · ‎07-15-2018

So without knowing the VTP domain name and (hopefully you have that configured) the VTP password, there is no way a new switch can be added...

Deepak Kumar · ‎07-15-2018

Hi,

At some place, I agree with you but it is not necessary that If your one switch is using VTP then you can't communicate to the non-vtp device.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Davidesser · ‎07-15-2018

For new switch / router your idea is perfect.

How about when Aggressor person connected to the network with PC?

Julio E. Moisa · ‎07-15-2018

An option is switchport security or 802.1x

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_011.pdf

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Deepak Kumar · ‎07-15-2018

Hi,

As mentioned by all persons, Normally all devices will in the secure access but if you are worried about then you can move to Cisco TrustSec switch to switch link security.

For more information:

https://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html

http://www.virtualpackets.com/cisco-trustsec-switch-to-switch-link-security-manual-mode/

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Julio E. Moisa · ‎07-15-2018

Hi

Trustsec can work perfectly but ACS or ISE is required as I remember. Or if it is supported on that specific on that model.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<