08-11-2014 01:55 AM - edited 03-07-2019 08:20 PM
HI,
We have Cisco 4500X at the core and Cisco 3750 at the edge. I would like it so we can disable unmanaged switches on some ports on an edge switch. I don't want a particular group of users plugging them in.
How can i achieve this please?
Thanks
08-11-2014 02:13 AM
On the interface, if you enable "spanning-tree BPDUGuard enable" the port will go into error-disable when BPDU is detected on the interface.
08-11-2014 02:51 AM
Hello,
Following are the modes in which we can configure BPDU Gaurd in switches
Interface mode:
spanning-tree bpduguard enable (Puts port in errdisable upon receiving any bpdu).
Global mode:
spanning-tree portfast bpduguard default (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu).
Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.
08-11-2014 04:16 AM
Thanks for the help. Someone else suggested doing it by limiting the number of mac addresses allowed on the port by using the following commands. What method would you use?
Thanks
switchport port-security maximum 1
switchport port-security violation shutdown
08-11-2014 04:54 AM
You are most welcome.
This again is a very good option,however if ur switch port is connected to a hub supporting more than 1 user than in that case u would not be able to use this command as it would allow only one mac-address through it thus preventing other eligible data from legal hosts.But if u have only one host connected to that port then i would recommend it otherwise in a full fledged network the "spanning-tree bpduguard enable "is a good option.
Thanks
08-11-2014 07:17 AM
Thanks. Just giving this a test. I put the above commands on the switch port but they don't appear when I do a show run. Why is that please?
thanks
08-11-2014 07:36 AM
Those will appear under command:
Switch#sh port-security interface (interface name)
08-11-2014 07:51 AM
Brill. So I have got the below from that command. Is this setup correctly to only allow 1 MAC address on that port?
thanks
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
08-11-2014 07:57 AM
yes as u can see it shows max mac addresses=1,meaning that total number of mac-addresses allowed are one and if it exceeds then violation will occur which will shutdown the port.
Thanks
08-11-2014 07:59 AM
Thanks. Will give this a go.
08-11-2014 08:00 AM
you are welcome
08-11-2014 05:49 AM
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Your later note, about using switch-port security, is probably your best option (because unmanaged switches and hubs aren't really visible - also unmanaged switches won't generate BPDUs).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide