How to manage unused switch ports
On networks I manage, I tend to simply shut down any unused access ports. Then when access is needed, I simply re-enable the port and assign it to the proper VLAN if needed. Some administrators take unused ports a step further by creating a black hole VLAN. This is a VLAN that's local to this switch only, has no layer 3 switch virtual interface (SVI) configured for it, and isn't allowed to traverse an uplink trunk port. Doing this guarantees isolation for any unauthorized devices connected to the switch port. This is especially useful if you are concerned about ports inadvertently being enabled when they should be disabled.
In this example, I assume that switch port 1/0/12 is a standard user port that is currently not used. First, I configure the black hole VLAN 321. Then I configure port 12 as an access port, enable BPDU guard, assign it to the black hole VLAN, and then disable the port by issuing the shutdown command:
Then once you need to activate the port, simply go back into switchport configuration mode, issue a no shutdown command, and assign it to the proper data and/or voice VLAN the user requires.
This guide was just a sample of the many access-port security configuration options available. Also note that there are more advanced, and purpose-built security tools for protecting network access such as Cisco ISE or ForeScout NAC. But if you don't have the budget for more advanced tools, you can at least get started by configuring the built-in security features on modern enterprise-class switches.
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
