07-15-2018 04:27 AM - edited 03-08-2019 03:40 PM
Hi all
We have problem about secure connection between two switch’s( 2960 24 pcl - pdl - psl) on trunk port .
For example, We have network with 50 switchs and 700 clinets.
The number of client is not fix , it is maybe inclease or discrease
In switch’s that are in access layer , Port security is actived for all of the ports ( exept trunk ports)
So it is a big problam on our networks’ secure.
If a person that is Aggressor , disconnet the trunk port and connect herself switch ( phisical). He can easily penetrate the our network and we can not doing confronting with this action .
switch work true when our switch connect to a specific switch ( according to our network switch map), otherwise trunk port of switch not work and blocked.
So How can we secure the connection between the switches?
07-15-2018 05:08 AM - edited 07-15-2018 06:05 AM
Hi
I think there is no an adequate solution for this model, Usually the network devices are located into safe areas (data center, lan rooms, locked gabinets, etc) with cameras and any kind of security.
Now you could have alternative ways like: configure properly the logging to send emails once an action like that occurs, other way is generate an EEM script (if it is supported on your device) to shutdown the interface when the interface is disconnect and generate a messge.
Hope it is useful
:-)
07-15-2018 05:12 AM
Hello,
do you have a VTP domain and password configured on all your switches ? This should usually be sufficient to prevent unauthorized switches to be added to your network...
07-15-2018 05:27 AM
Thank you,
yes we have VTP Domain.
07-15-2018 05:31 AM
So without knowing the VTP domain name and (hopefully you have that configured) the VTP password, there is no way a new switch can be added...
07-15-2018 05:33 AM
Hi,
At some place, I agree with you but it is not necessary that If your one switch is using VTP then you can't communicate to the non-vtp device.
Regards,
Deepak Kumar
07-15-2018 05:46 AM
For new switch / router your idea is perfect.
How about when Aggressor person connected to the network with PC?
07-15-2018 05:47 AM - edited 07-15-2018 05:49 AM
An option is switchport security or 802.1x
07-15-2018 05:23 AM
Hi,
As mentioned by all persons, Normally all devices will in the secure access but if you are worried about then you can move to Cisco TrustSec switch to switch link security.
For more information:
http://www.virtualpackets.com/cisco-trustsec-switch-to-switch-link-security-manual-mode/
Regards,
Deepak Kumar
07-15-2018 05:42 AM - edited 07-15-2018 05:46 AM
Hi
Trustsec can work perfectly but ACS or ISE is required as I remember. Or if it is supported on that specific on that model.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide