04-05-2013 09:22 AM - edited 03-07-2019 12:40 PM
Hello Folks,
I've been chalenged by several HUBs (or SOHO switches) unauthorized connected to our LAN. Besides the treat of a L2 loop on the environment, that issue also involves a finnacial matter to my company, since all the billing process is based on switchport utilization. So the more non compliant devices I have connected to the network the less $$$ we can charge from the customer.
Already tried 2 features to fix the issue: Port Security and Port-fast BPDU Guard. None of them have proven a good solution for me. Issues below:
Port Security: Administrative overhead.
BPDU Guard: HUBs doesn't send BPDUs. Tried some tests with a few models os SOHO Switches (3com, Linksys, Encore, etc) and i also didn't see any BPDU packets comming to my cisco gears (debug spanning-tree bpdu receive)
Do you people have any recommendations for a good approach on this?
Thanks.
Solved! Go to Solution.
04-05-2013 12:28 PM
I used to use port security for this exact purpose. Here is what you do:
Global:
errdisable recovery cause psecure-violation
errdisable recovery interval 30
On the interfaces:
switchport port-security aging type inactivity
switchport port-security violation shutdown
switchport port-security maximum 1
This will cause any port with a hub on it (and more then one device connected) to errordisable, then every 30 seconds the port will try to re-enable itself automatically. If the hub is still there, it goes back down, if not it is back online. Also, the "aging type inactivity" will mean that if people unplug their equipment and move, you will not have to manually intervene.
I used this configuration for years, It was very effective and even on a 10,000 user LAN needed suprisingly little manual administration. People will call you and tell you where the hubs are because they are not working.
04-05-2013 11:28 AM
My recommendation is that the optimum solution is port security. It is designed and intended to limit the number of MAC addresses on an interface and it seems to me that this is exactly what you need.
HTH
Rick
04-05-2013 12:11 PM
I agree with Rick. I see no way around this besides Port Security.
04-05-2013 12:28 PM
I used to use port security for this exact purpose. Here is what you do:
Global:
errdisable recovery cause psecure-violation
errdisable recovery interval 30
On the interfaces:
switchport port-security aging type inactivity
switchport port-security violation shutdown
switchport port-security maximum 1
This will cause any port with a hub on it (and more then one device connected) to errordisable, then every 30 seconds the port will try to re-enable itself automatically. If the hub is still there, it goes back down, if not it is back online. Also, the "aging type inactivity" will mean that if people unplug their equipment and move, you will not have to manually intervene.
I used this configuration for years, It was very effective and even on a 10,000 user LAN needed suprisingly little manual administration. People will call you and tell you where the hubs are because they are not working.
04-05-2013 12:46 PM
Oh, also you should use BPDU guard as well, in case you get some smart guy who thinks he is going to get twice as much Internets if he plugs his computer into a hub and plugs the hub into two LAN drops.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide