Extreme Networks

Michael_Kirchne · ‎02-25-2014

Dear community,

I have a current challange in securing the uplinks. My D2 is connected to a Uplink B5. The B5 port is configured with a untagged vlan. An attacker may disconnect the D2 and gets full network access because no policy is enforced (Policies are enforced on the D2).

I have NAC implemented in the network, but not on the Uplink ports.

Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?

From the NAC perspective I don't see any chance to solve this problem.

#########################
# Uplink| x#-----
# B5 |x# |
######################### |
|
|
|
#############
#x| #
#x| D2 #
#############

Hope you can help me out.

Best Regards,
Michael

Michael_Kirchne · ‎02-26-2014

Hi and thanks for the real quick reply.

@Jason: That was my first Action Item, too. But tagging the packets is no big deal.

@Scott: I mean it could be possible to detect a ETS Switch and force the uplink port to allow only a (ETS) switch and no other client. Even if this would be no "real" authentication it would be harder to spoof than tagging packets.

The best would be to realize point-to-point Authentication. Could IEEE 802.AE help here out? Are there any plans for implement p2p Authentication?

Best Regards,
Michael

Jason_Parker · ‎02-25-2014

Please set up tagging for all VLAN's and this will prevent a PC(unless they have a tagged NIC) from connecting
Jason

Scott_Keene · ‎02-25-2014

Hi Michael,

General uplink ports will not have policies or authentication enabled since the ports are not access ports.

Can you describe in more detail what you mean by “Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?”

Scott Keene

GTAC Support

Extreme Networks

How to secure uplink ports

How to secure uplink ports