This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to secure uplink ports

How to secure uplink ports

Michael_Kirchne
Contributor

‎02-25-2014 01:38 PM

Dear community,

I have a current challange in securing the uplinks. My D2 is connected to a Uplink B5. The B5 port is configured with a untagged vlan. An attacker may disconnect the D2 and gets full network access because no policy is enforced (Policies are enforced on the D2).

I have NAC implemented in the network, but not on the Uplink ports.

Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?

From the NAC perspective I don't see any chance to solve this problem.

#########################
# Uplink| x#-----
# B5 |x# |
######################### |
|
|
|
#############
#x| #
#x| D2 #
#############

Hope you can help me out.

Best Regards,
Michael

0 Kudos
4 REPLIES 4

James_A
Valued Contributor

‎02-26-2014 02:22 PM

You could perhaps mark all traffic with a particular CoS, and then drop all traffic on the B5 port that doesn't match that CoS. Again, the attacker could circumvent this if they knew about it.

The B5 only supports 4 users per port, so you couldn't just do authentication on this, given the D2 has 12 ports. You almost want an 802.1x supplicant on the switch talking on the uplink port, but I don't think anything like that exists.
0 Kudos

Michael_Kirchne
Contributor

‎02-26-2014 07:42 AM

Hi and thanks for the real quick reply.

@Jason: That was my first Action Item, too. But tagging the packets is no big deal.

@Scott: I mean it could be possible to detect a ETS Switch and force the uplink port to allow only a (ETS) switch and no other client. Even if this would be no "real" authentication it would be harder to spoof than tagging packets.

The best would be to realize point-to-point Authentication. Could IEEE 802.AE help here out? Are there any plans for implement p2p Authentication?

Best Regards,
Michael
0 Kudos

Jason_Parker
Contributor

‎02-25-2014 02:42 PM

Please set up tagging for all VLAN's and this will prevent a PC(unless they have a tagged NIC) from connecting
Jason
0 Kudos

Scott_Keene
New Contributor

‎02-25-2014 02:40 PM

Hi Michael,



General uplink ports will not have policies or authentication enabled since the ports are not access ports.

Can you describe in more detail what you mean by “Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?”

Scott Keene

GTAC Support

0 Kudos
GTM-P2G8KFN