Locating unmanaged switches

Phil Bradley · ‎04-26-2018

I have noticed that some unmanaged switches do not participate in STP, nor do they broadcast their mac address out so I have not found a good way to detect them or prevent them from creating a loop. If the "dumb" switch is not participating in STP then bpduguard has no effect and if the switch is not broadcasting its mac address then port security will not catch it. Any other ideas?

Phil Bradley · ‎04-26-2018

An update on what I have observed. If I enable bpdufilter default at the global level and then enable bpduguard at the interface level, then I am unable to detect rogue unmanaged switches when a loop is created since no bpdu's are being sent. The only way I have found to accomplish this is to disable filter and then when a loop is created on the unmanaged switch the switch floods the bpdu's and guard shuts the port down. I was trying to use filter to remove bpdu's on access ports and if bpdu's were received then guard would shut the port down.

paul driver · ‎04-26-2018

Hello

I would recommend NOT to apply bpdu-filter gloablly/interface as this basically disables stp and that something you dont want to do unless you have an interconnect you dont wish to partciptate in stp.

Anyhow just because the switch is unmanaged and isn’t an intelligent device, it doesn’t mean it cannot assist in the introduction of a physical loop.

Why not use Port security?
Its max mac address/violation features can help in that it you can limit the amount of mac-addresses registered to the access interfaces and restrict/shutdown the port is the violation is exceeded.

You also can remove STP portfast from the access port so it has to go through the stp negotiation process if/when the port tries to transition from down into a forwarding state, however the only problem with that is it will create topology change notifications every time it does this.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Phil Bradley · ‎04-26-2018

Hi Paul,

Yes, an unmanaged switch can introduce a loop and I have mocked this up in my lab. Port security will not work since this device is just doing a store and forward and there is no switch mac broadcast out to the upstream switch for port security to catch. Bpduguard will catch it in a loop as long as bpdufilter is not enabled, because the unmanaged switch will flood the bpdu's it receives back to the upstream switch while the switch is looped. I have found no other way to just detect that there is a switch installed unless it gets in a loop.

Phil Bradley · ‎04-26-2018

I should clarify if you do plug another device into the switch then port security would catch this.

paul driver · ‎04-26-2018

Hello

Well yes that my point the "non" intelligent switch itself i guess you cannot detect however with port-security and even storm control for unicast/broadcast flooding would be adequate for loop prevention.

Res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul