Blocking Layer2 network updates

Unanswered Question
Jun 13th, 2007

Hi,

We have a hardware supplier that need to connect a cisco switch to our backbone network.

We also can't manage this switch, the problem now is that the switch can send CDP info, VTP updates, Spanning Tree etc ... to our switch port.

Is there a way we can protect ourself against these types of traffic. I was thinking something like Layer2 access-lists ?

We're running Catos, they IOS

cheers,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ohassairi Thu, 06/14/2007 - 00:03

cdp that he can send is not harmful.

for vtp, you can either ask him to configure its sw in transparent mode or protect your vtp by a domain name and password.

for spanning tree if you want to ignore the BPDU he sends to your network then configure "BPDU filtering" feature in your interface connected to its sw.

andrewleki Thu, 06/14/2007 - 23:39

Of course we can ask them to configure the switch like it should be. And I'am sure they would, but we don't have control if they do some wrong configuration in the future.

We like to block that kind of traffic on our side, not on them switch.

regards,

-al-

Jon Marshall Thu, 06/14/2007 - 23:46

Hi

i think the suggestions made by Oussama were to do with blocking the traffic on your side ie.

1) Use VTP domain name / password so that the customer switch cannot join your VTP domain and pass updates

2) Enable BPDU filtering on the switch port on your switch so all spanning tree BPDU's are ignored. You obviously need to ensure that you then don't connect the customer switch with another connection.

Jon

Konstantin Dunaev Thu, 06/14/2007 - 23:52

1. "no cdp enable" on the interface (or was it "no cdp run"? ) will disable the sending of CDP on a cirtain interface. recieving of CDP is harmloss

2. You should configure your VTP domain with name and password, then the VTP information from other switch will not have any influence on your VTP

3. you can configure rootguard on the port to protect you network from new STP root. filter of BPDU's is not a best practice on the interface which connected to other switch, there is possibility of loop.

You can configure the trunks with only a necessary VLANs, which should be seen by other switch, this will reduce the influance on your network in case of any STP change on their side.

Actions

This Discussion