10-15-2004 05:57 AM - edited 03-02-2019 07:18 PM
Part of my network consists of 2950 10/100 ports that are leased to convention center guests, which I have very little control over. Until recently my interface config was very simple:
Interface FastEthernet0/1
no ip address
spanning-tree portfast
In working through an h323 video problem with a guest, he commented that he could easily hijack my spanning-tree topology. After some research I am contemplating adding the following commands:
no cdp enable
switchport mode access
spanning-tree bpduguard enable
Does anyone have suggestions about these or other methods to secure my layer 2 topology? TIA.
10-15-2004 06:05 AM
this guest has connections to more than one switchport? You could use bpdu filter to stop both in and outgoing bpdus from the port.
Dave
10-18-2004 12:13 AM
Hi,
what about port security http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/swtrafc.htm#wp1038501
(if you know MAC addresses of the connected devices) or
802.1x http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12120ea2/2950scg/sw8021x.htm ?
There should also L2 NAC (Network Admition Control) be available in near future...
Regards,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide