Re: Securing a physically accessible Trunk Port

miked4455 · ‎10-25-2024

Connected to our switches we have a number of Access Points, that for various reasons are not always in secure locations.

In theory this means someone could disconnect the AP and connect a laptop to the trunk port.

I’ve tested this and using Wireshark I can see broadcast traffic across the trunk, detect VLAN tags, and drop myself in to each VLAN via a sub-interface. If it had a network tap, then potentially I could do even more sitting between a busy AP and a switch.

Does anyone know a way to prevent this kind of behvaiour?

I’ve thought about using 802.11x / mac-address authentication, but first of all i'm not certain this is supported on trunk ports, and even if it is, while this could lock down the switchport to the AP’s mac-address only, I believe it would also block guest mac-addresses traversing the AP & SSID.

I can of course prune the VLAN's available on the trunk – therefore limiting the exposure - but it doesn't prevent the issue entirely as still leaves some exposure to the VLANs that are present.

I know that some other vendors (Meraki) have some bespoke 'smart' features that enable different behaviour depending on what is connected to the port. For example logic can be applied where if it detects an Access Point, then apply trunk config, if not then apply dummy access vlan only (or similar).

However, I can't think of a way to lock this down via "conventional" methods.

Can anyone help?

marce1000 · ‎10-25-2024

- In my opinion you are not talking about securing a trunk port , but about NAC (network access control) ; why go so far ; anyone can connect a cable to an outlet (patched) and try doing stuff. Therefore there is ISE with authorizing schemes for network equipment ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Flavio Miranda · ‎10-25-2024

@miked4455

I recommend this material.

https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

Ramblin Tech · ‎10-25-2024

IEEE 802.1X, with or without MACsec, can mitigate against rogue hardware being attached to a network. You might consider it if both your APs and agg switches support it on their interconnecting trunks, particularly with the use of certificates as an interactive username/password login from the AP would be unworkable.

Disclaimer: I am long in CSCO

miked4455 · ‎10-29-2024

Ok thanks for the replies.

In some cases we have older hardware so ISE is not an option.

I'll look again at 802.1x
Of course I can secure the SSID with this
But my understanding was it's not supported on the trunk port itself, therefore someone could still connect a cable and traverse the VLANs

Flavio Miranda · ‎10-29-2024

As you mentioned above, trunk does not supporte 802.1x.

ISE is not the only solution. There are alternatives on the market you can explore.

There is not easy solution for this problem, I dealt with it in the past working for a Bank. Fortunatelly they had ISE and later on they deployed SDA which allows for micro-segmentation but those are all very expensive solutions.

Ramblin Tech · ‎10-29-2024

My understanding is that some IOS releases & platforms will support switch-to-switch MACsec, which would be over .1Q trunks with EAPOL for authentication. If your AP and upstream switch can support this, then seems like this could mitigate against rogue hardware insertion.

Disclaimer: I am long in CSCO