cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3581
Views
0
Helpful
4
Replies

Port-security, storm-control and bpduguard - redundant?

ivarstrandberg
Level 1
Level 1

Hi.

In an effort to get more control over our office network, we have configured port-security (default settings, but with "violation restrict"), to prohibit users from connecting more that one device on an access port.

If someone should connect an unmanaged switch, and make a loop on that switch, would port-security be enough (since it stops traffic from all MAC addresses learned on that port, except the first MAC address), or would we need storm-control as well?

How about bpduguard? Is that necessary?

Here's an example:

interface GigabitEthernet1/0/1

switchport access vlan X

switchport mode access

switchport port-security

switchport port-security violation restrict

storm-control broadcast level 10.00

storm-control multicast level 10.00

spanning-tree portfast

spanning-tree bpduguard enable

end

Kind regards,

IS

4 Replies 4

Rolf Fischer
Level 9
Level 9

Hi,

if you want to prevent from bridging loops effectively, you should use BPDUguard on your edgeports.

Combining that with port-security and/or storm-control is wise, but you have to keep in mind that they cannot avoid loops. Strom-control can lessen the impact of a loop but maybe you should try to find meaningfull values which meet your requirements. I think 10% broadcast on a Gigabit edgeport is by far to much.

Best regards

Rolf

Will BPDUguard help even if the switch the user connects doesn't support STP?

Will the Catalyst see its own BPDUs if there's a loop, and then shut down the port?

When it comes to storm-control, what percentage range would be recommended on a gig-port?

Is it necessary to storm-control multicast as well as broadcast?

/IS

 Will the Catalyst see its own BPDUs if there's a loop, and then shut down the port?

Yes. BPDUs are layer-2 multicasts and a unmanaged or Not-STP-aware switch will flood them back to the Catalyst in such a case.

Will BPDUguard help even if the switch the user connects doesn't support STP?

If a bridging loop occurs, yes. Here, the combination with port-security can be useful to identifiy such ports.

There are not really recommendations for storm-control values, what's "normal" allways depends on the specific network, applications, etc.

I think you can safely start with 1.00 and then approximate to adequate values for your environment.

Don't exaggerate, you don't want to experience lots of "false positives".

Hope that helps

Rolf

Andrew Devine
Level 1
Level 1

You need to be careful with this configuration.

Violation restrict will not shutdown the port, and can potentially block the BPDUs hence bpduguard will not kick in and you will create a loop.

Better to use "switchport port-security violation shutdown" to avoid loops.

 

Review Cisco Networking for a $25 gift card