Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
4
Replies

Need solution for odd recurring event of users interconnecting two switchports

____x____
Level 1
Level 1

‎12-19-2019 05:16 AM

After taking a new job and over the course 10 months I have seen an unusual thing happen.  I have had users interconnect two data ports on the same switch 3 times. This occurs at the main campus and brings the entire network to it's knees, which I didn't think could happen.  All the ports are configure portfast. Should I remove the portfast?  What is the best/easiest way to prevent this from nuking the network again?

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎12-19-2019 05:33 AM - edited ‎12-19-2019 05:37 AM

Hello,

 

the best option would obviously be to keep users from physical access to the switches. If that is not possible, you could try and implement some sort of authentication. What is the typical configuration of an access port now ?

 

--> I have had users interconnect two data ports on the same switch 3 times.

 

What do the users actually do, connect two ports on the same switch to a hub ?

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni

‎12-19-2019 05:34 AM

Hi there,

It is best practice to enable BPDU Guard on access ports. On each access switchport add the following:

!
spanning-tree bpduguard enable
!

This will place the switchprort in a err-disabled state (requiring a shut/ no shut to bring it back up) when ever it receives a BPDU, ie when it is connected to another switch, or itself.

 

cheers,

Seb.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Seb Rupik

‎12-19-2019 01:06 PM

Seb Rupik response is the best, HOWEVER, BPDU Guard is of no use if someone has (secretly) enabled "auto-recovery" of error-disabled ports.  

Another thing, if you're new to the job, don't enable BPDU Guard without permission.

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎12-19-2019 07:39 AM

Disabling portfast should preclude a L2 loop, but of course you lose the benefits of using portfast. (BTW, what variant of STP are you using?)

You could try Seb's suggestion. That would be easy and might be enough.

Your devices might have additional features to further limit and/or mitigate someone spanning two ports, like unicast flooding limits, etc.

You mention the "... brings the entire network to it's knees ...", which makes me wonder about your L2 design (perhaps a L2 redesign would limit the impact area).
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card