cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1204
Views
7
Helpful
4
Replies

Ports restriction

Faisal Khan
Level 1
Level 1

Hi,

We need to restrict Layer 2 switch ports for blocking another switch connection.

Can any body guide me how to perform this task.

Regards,

Faisal

4 Replies 4

wender putters
Level 1
Level 1

Hello Faisal,

Could you please provide us additional information?

I have no idea what youare trying to prevent from happening.

Can you add a diagram and explain your situation in more detail.

Jan Hrnko
Level 4
Level 4

Hi Faisal,

  • If you want to prevent let's say people connecting through an unmanaged switch to your access port, the best thing to do is to configure port security. You can also configure the maximum number of secure MAC addresses for the port (default is 1) using switchport port-security maximum NUMBER command. Since there are no protocols running on an unmanaged switch, how can you tell there is a switch in the first place? Well, just by the fact that there are multiple/different MAC addresses communicating on a single port. Upon receival of frames with different source MAC addresses the port is put into err-disable.

          Switch(config-if)#switchport port-security

OR

  • If you want to prevent only managed switches (with STP running) from connecting to such port, use BPDU guard but I think that you are looking for the first solution here. Port with BPDU guard configured is put into err-disable upon receival of BPDU.

          Switch(config-if)#spanning-tree bpduguard enable

If you decide to configure port-security, have a look here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html

or just ask further questions.

What exactly are you trying to do? What kind of port do you want to block and why? Please, let us know, so we can provide a better answer.

Best regards,

Jan

Thanks for ur reply...

I think we also configure Access switch VTP on client mode...it will also block access ports for unmanaged switches.

Port security need to define MAC addresses and we use multiple work stations on these ports.

Regards,

Faisal

devils_advocate
Level 7
Level 7

Hi

I think what you are asking is how to prevent unwanted switches being plugged into your network?

If so, the advice from Jan is the best.

BPDU Guard will only work for switches which use BPDU's and anybody technical could stop the switch sending them anyway so combine this with Port Security and limit the MAC addresses, you should be fairly well protected.

I would also advise setting all your user facing switchports to Access Ports only to prevent Trunks being formed (switchport mode access).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: