Solved: Re: Connect unmanaged switch to Ethernet wall port that is on user vlan

Peymani · ‎05-20-2021

In enterprise environment(the company that I am working) each access switch has a User VLAN with some port assigned to it! What will happen if I connect unmanaged switch to one of the Ethernet wall port that is on the User VLAN!?

marce1000 · ‎05-20-2021

- Depends , but if good configured the port will get disabled through bdpu filtering and or other unwanted 'spt effects'

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

Richard Burts · ‎05-21-2021

As @marce1000 suggests it depends on how the wall port is configured. There are some options such as bpduguard which would recognize that a switch was being connected and would shut down the wall port and the unmanaged switch would not work. It is possible that no feature like that is configured and that the unmanaged switch would become part of the network, and all ports on the unmanaged switch would operate as part of the user vlan.

HTH

Rick

View solution in original post

Joseph W. Doherty · ‎05-22-2021

If the unmanaged is truly a pure "dumb" L2 switch, generally it will be "invisible" to your network. Although the other posters have noted something like BPDUs would reveal a switch on an access port, generally a pure "dumb" L2 switch doesn't support STP so the switch would not reveal itself, that way. (Also BTW, such switches also don't generally support CDP or LLDP.) In other words, not only are the results dependent on how the access port might be configured, but they are also dependent on the "kind" of switch being connected, and what's connected to that switch.

However, something that will often reveal such a pure "dumb" L2 switch is when, and if, more than one host is connected to that switch. If such is done, you'll "see" multiple MACs on the access port. Assuming only one host MAC is expected, multiple MACs often reveal the presence of such a switch.

BTW, a similar problem arises with "inexpensive" WAPs. They too can be totally "invisible" to your network on the "wired" side, unless they too start to host more than one MAC. (NB: WAPs can be detected, though, monitoring the "wireless" side.) NB: such unauthorized WAPs can be a real security concern because they provide an entry point to your network, often from outside your building.

Also BTW, years ago, I worked at a company that took user edge port security very seriously. Part of their solution to address this problem was user hosts had to authenticate themselves to the network. Even doing that, we needed to insure a host that authenticated itself did not "open" the port to other devices that might also be on a pure "dumb" L2 switch that was connected to the Enterprise edge port. (NB: our edge ports also supported dynamic VLAN assignment based on host authentication. This to allow unauthenticated hosts [i.e. guests] to use our network on a specially restricted "guest" LAN.)

View solution in original post

Richard Burts · ‎05-22-2021

The original poster asks "What comment can I use to see the configuration which show me I can or cannot!?". Unfortunately there is not any single command that would show whether the connection of the unmanaged switch would be successful or not because there are multiple things that might prevent the connection from working. And multiple causes would require multiple commands:

- if port security is enabled on the port then having multiple mac addresses learned on a single port might prevent the port from working. You might see that by looking at show run interface x/y.

- bpduguard might prevent the port from working (if the unmanaged switch supports spanning tree). You might see that in the interface configuration but it might also be enabled globally and you would need a different command to see that.

HTH

Rick

View solution in original post

marce1000 · ‎05-20-2021

- Depends , but if good configured the port will get disabled through bdpu filtering and or other unwanted 'spt effects'

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Richard Burts · ‎05-21-2021

As @marce1000 suggests it depends on how the wall port is configured. There are some options such as bpduguard which would recognize that a switch was being connected and would shut down the wall port and the unmanaged switch would not work. It is possible that no feature like that is configured and that the unmanaged switch would become part of the network, and all ports on the unmanaged switch would operate as part of the user vlan.

HTH

Rick

Peymani · ‎05-22-2021

What comment can I use to see the configuration which show me I can or cannot!?

Joseph W. Doherty · ‎05-22-2021

If the unmanaged is truly a pure "dumb" L2 switch, generally it will be "invisible" to your network. Although the other posters have noted something like BPDUs would reveal a switch on an access port, generally a pure "dumb" L2 switch doesn't support STP so the switch would not reveal itself, that way. (Also BTW, such switches also don't generally support CDP or LLDP.) In other words, not only are the results dependent on how the access port might be configured, but they are also dependent on the "kind" of switch being connected, and what's connected to that switch.

However, something that will often reveal such a pure "dumb" L2 switch is when, and if, more than one host is connected to that switch. If such is done, you'll "see" multiple MACs on the access port. Assuming only one host MAC is expected, multiple MACs often reveal the presence of such a switch.

BTW, a similar problem arises with "inexpensive" WAPs. They too can be totally "invisible" to your network on the "wired" side, unless they too start to host more than one MAC. (NB: WAPs can be detected, though, monitoring the "wireless" side.) NB: such unauthorized WAPs can be a real security concern because they provide an entry point to your network, often from outside your building.

Also BTW, years ago, I worked at a company that took user edge port security very seriously. Part of their solution to address this problem was user hosts had to authenticate themselves to the network. Even doing that, we needed to insure a host that authenticated itself did not "open" the port to other devices that might also be on a pure "dumb" L2 switch that was connected to the Enterprise edge port. (NB: our edge ports also supported dynamic VLAN assignment based on host authentication. This to allow unauthenticated hosts [i.e. guests] to use our network on a specially restricted "guest" LAN.)

Richard Burts · ‎05-22-2021

The original poster asks "What comment can I use to see the configuration which show me I can or cannot!?". Unfortunately there is not any single command that would show whether the connection of the unmanaged switch would be successful or not because there are multiple things that might prevent the connection from working. And multiple causes would require multiple commands:

- if port security is enabled on the port then having multiple mac addresses learned on a single port might prevent the port from working. You might see that by looking at show run interface x/y.

- bpduguard might prevent the port from working (if the unmanaged switch supports spanning tree). You might see that in the interface configuration but it might also be enabled globally and you would need a different command to see that.

HTH

Rick

Richard Burts · ‎05-22-2021

I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Joseph W. Doherty · ‎05-22-2021

"if port security is enabled on the port then having multiple mac addresses learned on a single port might prevent the port from working. You might see that by looking at show run interface x/y."

Actually, that would be true when additional MACs appear on the Enterprise edge port. I.e. a pure "dumb" L2 switch might still be connected which would likely always allow at least one/authorized host MAC regardless of the Enterprise switch's port configuration. (NB: this might seem a non-issue, but it [or a hub] might allow unauthorized "sniffing" or man-in-the-middle compromises. More problematic with WAPs.)

"(if the unmanaged switch supports spanning tree)"

Rick, just curious, do you know of any such switches? (I could see configurable switches either not supporting anything but console access, or configured to not "show" themselves, i.e. with a host IP, on the network, but for a true "dumb" L2 switch [e.g. consumer type small 4, 5 or 8 port, office store, switch], don't recall ever seeing one do anything beyond the most basic L2 switching.)

BTW, one issue of connecting two switches, via access ports, unless one of them supports auto MDI/MDI-X, you'll likely need a cross over copper cable, rather than the typical host <> switch straight thru cable.

Richard Burts · ‎05-23-2021

Joseph

I do not claim a lot of expertise with unmanaged switches and can not point to an example of an unmanaged switch that supports spanning tree. But spanning tree is so basic and the impact of a loop being formed is so severe that I would assume that at least some unmanaged switches would support spanning tree.

HTH

Rick

Joseph W. Doherty · ‎05-23-2021

Rick, perhaps some do. I'm unaware of any, but again, doesn't mean they don't exist.

Thanks for your reply.

Richard Burts · ‎05-23-2021

Joseph

It is a point of uncertainty. Clearly there are unmanaged switches that do not support spanning tree. Given the potential impact of not detecting a layer 2 loop in the network I continue to think that some unmanaged switches ought to support it. But whether there are some that do is an open question.

Going back to the question of the original post if they connect an unmanaged switch to the managed switch it might work just fine. Or there might be problems. There are several aspects of the managed switch which could be problematic, so without knowing more about the managed switch we can not say clearly one way or the other whether it would work or not.

HTH

Rick

Joseph W. Doherty · ‎05-24-2021

Rick is indeed correct, in that without knowing particulars, there's no 100% guarantee that connecting an unmanaged switch to a managed switch will work.

However, in my experience, for copper to copper connections, assuming you have the right kind of copper cable (generally a cross over cable), it usually works.

BTW, not yet discussed, even when it works, is how well it might work. "Inexpensive" unmanaged switches are often inexpensive for more than the fact they don't support switch management. It not totally unusual that if you place an inexpensive unmanaged switch between the original host device and the Enterprise switch port, the host device's network performance is degraded (even without using any other of the unmanaged switch ports).