11-18-2008 10:14 AM - edited 03-06-2019 02:33 AM
Is there a way to keep this scenario from happening (other than not allowing users to connect a switch to their jack):
Topology:
host -> user switch -> main switch -> router
We actually had this happen last night. In the user switch, a user connected one end of a cable to port 4 and the other end to port 3. This effectively brought the network down at this branch.
I've got a test setup here and I've implemented storm control, but this isn't keeping it from happening. I don't think bpduguard or bpdufilter will work either considering the port that the user switch connects to is already a designated port for spanning tree and forwarding.
Any suggestions or other tricks that could keep this from happening in the future?
Thanks!
John
11-18-2008 10:16 AM
Any suggestions or other tricks that could keep this from happening in the future?
Read on switchport port-security
:)
__
Edison.
11-18-2008 11:41 AM
As Edison says, the port-security is probably best.
If you *really* need to control "clever" users, then you also should set your TTL (Time-to-Live)such that if they drop in a consumer router (for NAT and expand ports) the TTL expires and there's no connection.
I hope the employee was fired for a violation of the policies. You *-DO-* have a policy, don't you?
Good Luck
Scott
11-18-2008 11:52 AM
Hello John,
here what helps is
STP bpduguard it should disable both links or at least one of the two:
the designated port will propagate BPDUs and the other port should go in errordisable for the fact of receiving BPDUs regardless of their content.
I think this is the scenario for using this command.
This works if the user switch has the bpduguard feature.
Instead BDPU filter is to be avoided because it is just the opposite : it makes the ports silent and they cannot detect each other.
BPDU filter is to be used only on some L2 Service provider scenarios not inside an enterprise.
port security can help too.
I tested BPDU guard 4 years ago on CatOS and IOS switches and it worked the way I described above.
Hope to help
Giuseppe
11-18-2008 12:12 PM
John
I think Scott has hit the nail on the head. You could use port-security and we do to make sure that users don't connect hubs to their PC ports by limiting the amount of mac-addresses seen on the switchport. You could use BPDUGuard but that is assuming that the switches support these features. If they do great but quite often users can plug in their own switch/hub and create the very same problems.
So it really comes down to a security policy that all users are aware of and are also aware of the consequences if they do something they shouldn't.
There are a lot of features you can use to mitigate against these things and if the features are available then i would use them but in the end if a user wants to do something really stupid they probably will :-)
Jon
11-18-2008 01:24 PM
Yes, bpduguard will disable the port. However, I have seen instances where bpduguard fails after the switch attempts to automatically recover the port (I still have a TAC case open on this). I would use both bpduguard and port security. At least, that is what I am implementing right now.
11-18-2008 04:33 PM
L2 best practices suggest disabling any unused ports.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide