Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1377
Views
0
Helpful
8
Replies

Port Blocking

Go to solution
anthony.dyne
Level 1
Level 1

‎10-18-2011 11:21 AM - edited ‎03-07-2019 02:53 AM

Hi Everyone. Which command will block the port on connecting a switch to access port with portfast enabled. Core-Switch connects to Access-switch with Giga uplink, time to time helpdesk cascade switches by connecting to access-switch which is intended for host.

cheers

Anthony

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
branfarm1
Level 4
Level 4

‎10-18-2011 11:52 AM

I'm sure there are better answers out there, but two things that come to mind are BPDU guard and mac address limiting. 

With BPDU guard you're protecting against another switch being connected, as long it's a device that sends BPDU's and your port is configured with PortFast. 

And with the MAC address limitation, if you limit each access port to only allow 1 MAC address at a time, having a switch on the port will cause multiple MAC's to appear and will result in the access port being disabled:

switchport port-security maximum 1

switchport port-security violation shutdown 

The violation has the option to either restrict, protect, or shutdown.    Shutdown just disables the port when the maximum is exceeded,  protect only allows traffic for the first MAC's up to the maximum, then blocks the rest.   I'm not quite sure what restrict really does.... according to http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042596 it just says "restricts data and causes the SecurityViolation counter to increment."

HTH,

Brandon

View solution in original post

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to anthony.dyne

‎10-18-2011 12:31 PM

Hi,

Here is a link which will answer all your questions about BPDU GUARD and BPDU filter:

http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/

For port-security: max 1 and violaion shutdown are defaults so no need to configure them. if you've got a violation then the port will go into errdisabled mode and to get it working again you must either:

-shut/ no shut it manually

-configure errdisabled recovery feature for Portsecurity and configure a recovery timeout so after this time is over it will put back the port in connected state but as soon as a viloation occurs it still goes into errdisabled state

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
jgraafmans
Level 1
Level 1

‎10-18-2011 11:51 AM

You can use the spanning-tree portfast bpduguard command to make a port with portfast configured go in error disabled state if a switch with spanning-tree enabled is connected to that port.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

To make a port also go to error disabled state if the connected switch does not have spanning-tree enabled you can use port-security to shut down the port if he sees more than one MAC address on that port.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/19ew/configuration/guide/port_sec.pdf

Regards,

Jasper

0 Helpful

Go to solution
branfarm1
Level 4
Level 4

‎10-18-2011 11:52 AM

I'm sure there are better answers out there, but two things that come to mind are BPDU guard and mac address limiting. 

With BPDU guard you're protecting against another switch being connected, as long it's a device that sends BPDU's and your port is configured with PortFast. 

And with the MAC address limitation, if you limit each access port to only allow 1 MAC address at a time, having a switch on the port will cause multiple MAC's to appear and will result in the access port being disabled:

switchport port-security maximum 1

switchport port-security violation shutdown 

The violation has the option to either restrict, protect, or shutdown.    Shutdown just disables the port when the maximum is exceeded,  protect only allows traffic for the first MAC's up to the maximum, then blocks the rest.   I'm not quite sure what restrict really does.... according to http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtrafc.html#wp1042596 it just says "restricts data and causes the SecurityViolation counter to increment."

HTH,

Brandon

0 Helpful

Go to solution
anthony.dyne
Level 1
Level 1
In response to branfarm1

‎10-18-2011 12:08 PM

Thank You both on answering.

spanning-tree portfast bpduguard  -> is it a global command ??

will the above command impact Cisco Aironet Access point connected to access port

switchport port-security maximum 1

switchport port-security violation shutdown -> what steps are needed to bring the interface to working state  ( not sure if its "no shut" command or "default int fa 0/5" )

What is difference between spanning-tree portfast bpduguard  & spanning-tree portfast bpdufilter

cheers

Anthony

0 Helpful

Go to solution
branfarm1
Level 4
Level 4
In response to anthony.dyne

‎10-18-2011 12:28 PM

You can set BPDUGuard on the global level or on a per port level.  Similarly, I believe you could enable it globally and disable it on individual ports where necessary.

With the port-security violation shutdown, you can either manually re-enable a port by doing a shut- no shut on it, or you can configure automatic recovery with 'errdisable recovery cause psecure-violation'

Bpdufilter prevents a port from sending BPDU's outbound, so you would use that on a port that you didnt want BPDU's going out on.  BPDUguard, as mentioned, disables a port when it receives an inbound BPDU.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to anthony.dyne

‎10-18-2011 12:31 PM

Hi,

Here is a link which will answer all your questions about BPDU GUARD and BPDU filter:

http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/

For port-security: max 1 and violaion shutdown are defaults so no need to configure them. if you've got a violation then the port will go into errdisabled mode and to get it working again you must either:

-shut/ no shut it manually

-configure errdisabled recovery feature for Portsecurity and configure a recovery timeout so after this time is over it will put back the port in connected state but as soon as a viloation occurs it still goes into errdisabled state

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
branfarm1
Level 4
Level 4
In response to cadet alain

‎10-18-2011 12:53 PM

Alain is right -- the default port-security is for 1 allowed MAC and shutdown on violation. But I believe you do have to enable it on the port however, by entering 'switchport port-security' on the interface.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to branfarm1

‎10-18-2011 01:28 PM

Hi,

You're right to enable the feature you have to enter the command switchport port-security under the interface.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
anthony.dyne
Level 1
Level 1
In response to cadet alain

‎10-18-2011 10:08 PM

thanks brandon & Alain

0 Helpful
Customers Also Viewed These Support Documents