To make the port an trunk port will work in some way and that i did do.

What I dont understand is the port security using the mac addresses of both switches. Will the switch know that it is connected to another switch or not?

Under my understanding is that the source and destenation Mac addresses in the packets will stay the same, and the port will be blocked by either switch if data packets from nodes travel between the switches?

Hi,

I belive the switch port remember the binded mac address as long as port security is enabled.

I would suggest you to take the uplink port mac address and bind it with the port, do the same in both uplinks so that if any other mac learning on the port will be blocked or shutdown based up on your define.

Hope the above clear you.

Please rate the helpfull posts.
Regards,
Naidu.

Ok thanks

Just to be clear, I have to enable Switch port on the uplink port combined with Port security using the Mac of the other switch. And if i dont enable Switch port on the uplink port the port security will block the port because the transfered packets will have the wrong Mac address in them and the switch they are being transferd to will shut down that uplink port?

Yes,

See the below link for more specific info about port security and how to configure.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.pdf

Please rate the all helpfull posts.

Regards,

Naidu.

Hi Henri

if I do not understand you wrong you are thinking of a scenario where someone pulls the uplink from your switch on site and connects their own equipment and then connects your switch to their equipment. Thus gaining access to your uplink.

There are ways to do switch to switch encryption to solve this type of issues but this is quite new technology. I would hope it will catch on and we will in a couple of years all use it for any new installations.

ofcourse there are some drawbacks and since its an emerging technology there will be some teething troubles in the begining while it matures.

take a look at 802.1AE.

will this work for you ?

Well first of all it is all up to what type of switches you have.

it also depends on what type of connection you have between the switches.

so let us know what type of switches you have and if it is a L1 or a L2/L3 connection.

Then you can do some nice stuff with comparing the mac-addresses that you have on the different switches, if any one of them are both on the uplink, then it might be worth checking out.

when it comes to securing the switchports for use with pc and servers you can have a look at 802.1x or cisco NAC.

that will give you some help with that.

But remember a mac address is just a mac address  and you can change that just aswell as you can change th ip address and so on.

Good luck

HTH

Yes that is exacly what i am talking about. Gaining acess to an network by pulling out an switch and connecting to my uplink port to another switch.

We are using Cisco 4924 10GE switches combined with Hirschmann 4124 PowerMice switches. Both are L2 devices. The Cisco's are being used as the backbone at this stage and the Hirschmann's are uplinks to remote Canera site next to an highway.

The best i can do with the security is to send "traps" to an SCADA server with an other switch connects to an uplink of an switch at this moment, but its not an secure way of doing this.

Thanks fot the help

Ok

Well as long as the link is a L1 the 802.1ae would solve that for you since thats one of the big things it is used for.

though it would most likely require new/other switches.

Since we are talking abour physical access there are some things you can do if you need to secure the switch in the other end.

one thing could be a link that collapse the link all the way to your endpoint if someone pulls out the cable.

this will be recognised at the switch in your end and that will send an alarm.

this is not a defense for not making it possible to do the swap of the link unit but it will give you a heads up that it does exist. or that something have happened

if you make the switch on the far end not bring up the interface due to administratively shutdown due to loss of link then this will stop the person doing it from gaining information, but it will also shut down all the traffic for your link so make shure you have a way in to the switch that you can use even if the normal link is down.

So what is the result you want, at all costs stop anyone listening in ? or to know that you need to check the connection to that switch.

so you got to ask yourself what is the apropriate action for you ?

Good luck

HTH

None of the options are really feasable but alleast some indication of an intrution. I just dont know why Cisco have the function to shut down an port if you can just use your own switch to link up to the network by pulling the cable's and plugging it into yours.

It seems that the 802.11ae protocol will work and I will look into it.

Does Cisco support the 802.11ae or not yet?