08-15-2017 11:09 PM - edited 03-08-2019 11:45 AM
We want to protect our network from unmananged switches. i have already enable BPDU gurd but it does not blocked unmanaged swithes. Is there any sloution for protect our network other than port security? thanks in advance
08-16-2017 12:33 AM
You could use port-security lock down the ports so only certain macs and certain amounts are allowed through ports and shutdown the port if not matched
As good practice you should shut down any un used ports to may help if someone tries to connect without you knowing
good article on PS
http://www.techrepublic.com/blog/it-security/lock-down-cisco-switch-port-security-88196/
08-16-2017 01:46 AM
There is no other solution - port security is the only option as far as I am aware of. Unmanaged switches are completely transparent (there is no STP on those devices, so BPDU guard is useless in attempt to detect unmanaged switches) and other than limiting number of MAC addresses per port there is no other option.
08-16-2017 06:50 AM
Hello
You could used 802.1X port authentication which will not allow any access until the user or device is authorised by the ACS unless you enable mac bypass feature
Without 802.1x it would be down to Port Security.
Below is example of Port Security, Storm control and IPSG (ip only) enabled on a access port with errory recovery enabled for port sec and storm control
int x/x
Description Fastethernet access-port
switchport mode access
switchport access vlan 10
switchport nonegotiate
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control unicast level 20.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip arp inspection limit rate 14 <----enable by default rate limit defaults to 15
ip verify source < port-security> <------ port-security validates mac-address also)
udld port aggressive
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
no snmp trap link-status
no logging event link-status
no lldp transmit
no lldp receive
no cdp enable
sh errdisable recovery | in Enabled
psecure-violation Enabled
storm-control Enabled
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide