Confusion on port-security for ports on a Cisco Switch

JockVSJock

So I'm reading thru and taking notes on Odom's Chp 9 and I'm still not clear why you would want to do the following security precautions for unused ports on a Cisco switch.

Put unused port in switchport mode access Vs switchport mode trunk

I know that trunking is between devices like switch to switch and switch to router. Does trunking allow for more thru-put traffic? I would think that auto-negotiation would handle this. However, why would a network engineer even bother with this, especially is the port is shut status.

Put unused port in an unused VLAN

Does VLAN 1 even count for this? I know that VLAN 1 is the default VLAN for all ports on a Cisco switch, however in my mind VLANs benefits are to segment traffic, decrease broadcast/stp traffic, and increase security. I'm still not honestly clear on really what VLAN 1 does. I'm starting to read thru a few more Cisco docs online to get a clearer picture.

The only security practice for a Switch port that I'm clear on is that you want to place unused ports in a shut status.

KPLC

You're pretty much adding layers to your switch's security. What if you had a Jr admin go and hook up a switch to your production network and all they had to do was "no shutdown" on the port? They would have full access. But if they had to go through all of the steps of changing the switchport mode, adding it to the correct vlan, and doing a no shut, you have a greater margin of error.

Forsaken_GA

Trunks carry traffic for multiple VLANs. So if an unused port was in trunk mode instead of access mode, then an attacker could hook into it, negotiate a trunk, and send traffic to other VLANs. This is bad. An unused trunk port is kind of like a skeleton key into the network. If you pull the port out of trunk mode and into access mode, it can only be a member of one vlan. Which leads to the second part of your question.....

If the network is using vlan1, then no, it doesn't count. Any network engineer worth their salt doesn't use vlan 1 however, so alot of folks do use vlan 1 as their default blackhole vlan (it's just eaiser since ports are members of it by default in access mode, so limits the amount of configuration needed.) The caveat with using vlan 1 as your black hole vlan is that you have to remember to change the native vlan on your trunks, since it defaults to vlan1 as well.

In order to secure the edge, unused ports should be shut down, in access mode, in an unused vlan (I tend to enable bpdufilter as well, in case the port ever comes up on accident, I don't want it participating in spanning tree, nor do I want it to leak information about my topology by sending bpdu's)

KPLC

What Forsaken_GA said^^^

After reading his reply, I realized how much I really need to work on my English composition. LOL Sorry for the off topic comment.

Roguetadhg

It's not a big deal where I am, as unused ports are unplugged. We don't have a switch port for each port in the network anyways. Its Cost effective and wiring is a real PIA, not to mention looks like sh*t. :P

Mostly what Forsaken said: Security. Layers of security.

1. If Vlan656 is used as the parking lot, and the host can't receive many of the broadcasts/multicasts that happen on the network.
2. Shutting down the port will make it unusable.
3. setting all ports (besides trunks) as access only means that someone can't put in a switch and negotiate trunking.