Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2278
Views
0
Helpful
3
Replies

Want to block Unmanaged switches from netwok

malik.shafqat1
Level 1
Level 1

‎08-15-2017 11:09 PM - edited ‎03-08-2019 11:45 AM

We want to protect our network from unmananged switches. i have already enable BPDU gurd but it does not blocked unmanaged swithes. Is there any sloution for protect our network other than port security? thanks in advance

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎08-16-2017 12:33 AM

You could use port-security lock down the ports so only certain macs and certain  amounts are allowed through ports and shutdown the port if not matched

As good practice you should shut down any un used ports to may help if someone tries to connect without you knowing

good article on PS

http://www.techrepublic.com/blog/it-security/lock-down-cisco-switch-port-security-88196/

0 Helpful

Predrag Jovic
Level 3
Level 3

‎08-16-2017 01:46 AM

There is no other solution - port security is the only option as far as I am aware of. Unmanaged switches are completely transparent (there is no STP on those devices, so BPDU guard is useless in attempt to detect unmanaged switches) and other than limiting number of MAC addresses per port there is no other option.

0 Helpful

paul driver
VIP
VIP

‎08-16-2017 06:50 AM

Hello

You could used 802.1X port authentication which will not allow any access until the user or device is authorised by the ACS unless you enable mac bypass feature

Without 802.1x it would be down to Port Security.

Below is example of Port Security, Storm control and IPSG (ip only) enabled on a access port with errory recovery enabled for port sec and storm control

int x/x
Description Fastethernet access-port
switchport mode access
switchport access vlan 10
switchport nonegotiate
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 10
switchport port-security aging type inactivity
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control unicast level 20.00
storm-control action shutdown
ip dhcp snooping limit rate 100
ip arp inspection limit rate 14   <----enable by default rate limit defaults to 15
ip verify source < port-security>  <------ port-security validates mac-address also)
udld port aggressive
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
no snmp trap link-status
no logging event link-status
no lldp transmit
no lldp receive
no cdp enable


sh errdisable recovery | in Enabled
psecure-violation           Enabled
storm-control                 Enabled

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card