Solved: best practice for unmanaged switch to cisco switch

Kyujin Choi · ‎04-07-2014

In our environment, I have to allow some users to have a unmanaged switch which is connected to access port.

I put this configuration for each port which is connected to unmanaged switch (Netgear 8 port)

interface GigabitEthernet1/0/47

switchport port-security maximum 3
spanning-tree guard root
end

port-security maximum 3: only allow 3 mac

spanning-tree guard root: just in case to protect root bridge if someone put managed switch with lower bridge ID.

I connected one cable from unmanaged switch to another port to make a loop for test.

It showed that switch got "Loop-back detected" and put err-disable port automatically. So I don' t need to worry about this.

Apr 7 18:33:01.370: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/47.
Apr 7 18:33:01.370: %PM-4-ERR_DISABLE: loopback error detected on Gi1/0/47, putting Gi1/0/47 in err-disable state
Apr 7 18:33:02.373: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to down
Apr 7 18:33:03.379: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to down
LAB_HQ_Fiber(config-if)#

What are the option do you use usually to protect from unmanaged switch?

I am not able to use "spanning-tree bpduguard" because it will block a port

I can use "spanning-tree bpdufilter" to protect a STP area, but I don't think this is a big matter.

paul driver · ‎04-07-2014

Hello

If you need to attached these kind of switches/hubs - Make sure you shutdown all unused ports on the managed switch so to limit any further unauthorized attachments looping back into the network from the unmanageable device, This way you can managed these unmanageable devices to a certain extent.

As for the stp root, you should manually set your stp priority on the managed switch to a low level anyway so as to not allow any other new device negotiate its self to become the root, and for the ports you are aware of that will have these devices attached, i would disable portfast and also advise against using bpdufilter as this negates the stp process.

Int range fa0/x -xxx
description unmanaged devices
no cdp enable

On all managed switches and on all ports you DONT expect to have unmanaged hubs/switches I would suggest to apply

spanning-tree loopguard default
udld enable
udld aggressive

int range fa0/x -xxx
description access ports
switchport port-security
switchport port-security aging type inactivity
switchport port-security violation restrict/shutdown
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
no cdp enable

One last thing I also wouldn't enable error recover either, as you would want to know the reason why your ports are erroring and not go chasing your tail as the reason why your having intermittent network issues.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Leo Laohoo · ‎04-07-2014

The best practice is DON'T use an un-managed switch.

You want an 8-port switch, Cisco has the some 8-port managed switches: Cisco Catalyst 2960-C and 3560-C Series Compact Switches Data Sheet

Remember: An un-managed switch is an UN-MANAGEABLE switch.

paul driver · ‎04-07-2014