So I have been playing around with Cisco IOS devices for a number of years. I have mostly done configurations on Catalyst 2960 devices a little experience with layer 3 switches.<\/p>\n
Advertisement
I have decided to study for my CCNA using online resources, as convenient as they are that are times when you have questions that cannot be answered because there is not a live person there.<\/p>\n
Advertisement
My question is regarding port security.<\/p>\n
Generally for ports in our environment that are unused we just shut them down.<\/p>\n
The instructor on the video series I am using suggests putting them into access mode and then assigning a go nowhere VLAN.<\/p>\n
I understand the potential issues with having the port in a non dedicated state (access/trunk) but with the port just shut off does that eliminate the concern without extra typing.<\/p>\n
Is this a personal preference thing or is there school of thinking behind this that I am not seeing.<\/p>\n
Thanks for your opinion and thoughts.<\/p>","upvoteCount":9,"answerCount":8,"datePublished":"2018-11-13T20:02:11.000Z","author":{"@type":"Person","name":"joelf","url":"https://community.spiceworks.com/u/joelf"},"acceptedAnswer":{"@type":"Answer","text":"
I could see the potential of leading them down a path to nowhere. Think of it this way:<\/p>\n
Physical locks were never meant to be the be-all-end-all of security devices. They’re just there to slow a perp down, hopefully, long enough to make the attempt not worth taking the time. Any thief with enough will, tools, and opportunity will always be able to crack it. Same with someone breaking into your house. Someone with a sledge hammer or a big enough battering ram combined with enough time and brute force will be able to get through it. But, if you have a man-catcher behind it, a bunch of hallways that go nowhere, doors that open on to blank walls, and trap doors in the floors that keep bringing them back to the beginning, they may actually give up, eventually.<\/p>\n
The same can be said with such open, but blank, ports. If someone wants to get in, they’ll find a way. Even if you have ports that are shut off, that only tells them where not to go. But, if you send them on a wild goose chase at every turn, they may give up before they hit the right passage way.<\/p>\n
Certainly not the best way to do it, I’ll give you that much. But, this may be one explanation why there are some who advocate for such a practice. Wouldn’t use it, myself, either. Too many things to go wrong. But, I can see the appeal of effing<\/em> with an attacker and feeding their frustration. Think of it as a kind of very passive-aggressive form of vengeance.<\/p>\n
So I have been playing around with Cisco IOS devices for a number of years. I have mostly done configurations on Catalyst 2960 devices a little experience with layer 3 switches.<\/p>\n
I have decided to study for my CCNA using online resources, as convenient as they are that are times when you have questions that cannot be answered because there is not a live person there.<\/p>\n
My question is regarding port security.<\/p>\n
Generally for ports in our environment that are unused we just shut them down.<\/p>\n
The instructor on the video series I am using suggests putting them into access mode and then assigning a go nowhere VLAN.<\/p>\n
I understand the potential issues with having the port in a non dedicated state (access/trunk) but with the port just shut off does that eliminate the concern without extra typing.<\/p>\n
Is this a personal preference thing or is there school of thinking behind this that I am not seeing.<\/p>\n
Thanks for your opinion and thoughts.<\/p>","upvoteCount":9,"datePublished":"2018-11-13T20:02:11.000Z","url":"https://community.spiceworks.com/t/switch-configuration-question-best-practice-vs-preference/683692/1","author":{"@type":"Person","name":"joelf","url":"https://community.spiceworks.com/u/joelf"}},{"@type":"Answer","text":"
My personal preference and the one I’ve implemented is that if it’s not in use, it’s shut down. That way, if someone plugs in something they shouldn’t - there isn’t an issue. If I need to find free ports I can just look at which ports are shutdown. I just find it easier and safer.<\/p>","upvoteCount":1,"datePublished":"2018-11-13T20:18:36.000Z","url":"https://community.spiceworks.com/t/switch-configuration-question-best-practice-vs-preference/683692/2","author":{"@type":"Person","name":"Gary-D-Williams","url":"https://community.spiceworks.com/u/Gary-D-Williams"}},{"@type":"Answer","text":"
I just finished my CCNP and it looks like the consensus is, shut them down<\/p>\n
![\":wink:\"](\"https://emoji.discourse-cdn.com/twitter/wink.png?v=12\" "\\":wink:\\"")
<\/p>","upvoteCount":1,"datePublished":"2018-11-13T21:47:58.000Z","url":"https://community.spiceworks.com/t/switch-configuration-question-best-practice-vs-preference/683692/4","author":{"@type":"Person","name":"patrickdeno2","url":"https://community.spiceworks.com/u/patrickdeno2"}},"suggestedAnswer":[{"@type":"Answer","text":"