11-14-2011 01:07 AM - edited 03-07-2019 03:22 AM
Hi,
Does anyone know how to block unmanaged switch? I mean, if someone plug the unmanaged switch (dlink, etc) to cisco switch, the port on cisco switch automatically become errdisable.
i've configured bpduguard, but it didnt help.
Thanks,
Cornelius
Solved! Go to Solution.
11-14-2011 01:54 AM
hi cornelius,
bpduguard is not helpful for this situation, as it would only make sense if you have STP enabled and would not even then be helpful for your problem.
try port security and configure with that feature only mac address which are allowed to connect to that port. so the switch actually shouldnt trigger the port security feature, but as soon as clients get connected to the unmanaged switch and try to communicate with the cisco, the port should get blocked, or whatever you have configured.
but in generall i would suggest to shut down unused ports.
regards,
florian
11-14-2011 01:54 AM
hi cornelius,
bpduguard is not helpful for this situation, as it would only make sense if you have STP enabled and would not even then be helpful for your problem.
try port security and configure with that feature only mac address which are allowed to connect to that port. so the switch actually shouldnt trigger the port security feature, but as soon as clients get connected to the unmanaged switch and try to communicate with the cisco, the port should get blocked, or whatever you have configured.
but in generall i would suggest to shut down unused ports.
regards,
florian
11-14-2011 02:07 PM
I mean, if someone plug the unmanaged switch (dlink, etc) to cisco switch, the port on cisco switch automatically become errdisable.
i've configured bpduguard, but it didnt help.
What do you mean it didn't help? Switch, whether un-managed or not, talk BPDU so "bpduguard" should've disabled a port once BPDU packet is heard. The only reason it wouldn't work is if:
1. errordisable recovery is enabled; or
2. bpdufilter is enabled; or
3. It ain't a switch and most likely a hub.
If it's a hub, then enable port-security to allow only 1 MAC address.
switchport port-security
switchport port-security violation restrict
11-14-2011 03:07 PM
>>Switch, whether un-managed or not, talk BPDU
Question, why would an unmanaged switch been sending BPDU's? I always thought for the most part unmanaged switches do not send BPDUs.
11-14-2011 04:38 PM
BPDUs or Bridge Protocol Data Units are sent out ports that the switch has reason to believe are candidates to participate in a spanning tree instance. Most switches (managed or not), unless specifically configured otherwise (e.g. Cisco commands like "no spanning-tree" for the VLAN a given port is assigned to or other such configuration), believe all ports to be candidates to connect to other switches thus send out BPDUs to check the neighboring device's ability and willingness to participate in creation and maintenance of a spanning tree.
One of the main purposes of a spanning tree is to properly establish a non-looping broadcast domain. Achieving that purpose is necessary for proper network operation and a multi-switch environment whether or not a given switch is managed.
11-15-2011 05:49 PM
Thanks for that clarification mklemovitch
11-14-2011 06:39 PM
I've checked for Dlink 1008D, it doesnt sent BPDUs and i couldnt see the mac address also.
Well i think, It switch but acting like a hub. Umm... port-security would be great solution i guess...
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide