As Edison says, the port-security is probably best.

If you *really* need to control "clever" users, then you also should set your TTL (Time-to-Live)such that if they drop in a consumer router (for NAT and expand ports) the TTL expires and there's no connection.

I hope the employee was fired for a violation of the policies. You *-DO-* have a policy, don't you?

Good Luck

Scott

Hello John,

here what helps is

STP bpduguard it should disable both links or at least one of the two:

the designated port will propagate BPDUs and the other port should go in errordisable for the fact of receiving BPDUs regardless of their content.

I think this is the scenario for using this command.

This works if the user switch has the bpduguard feature.

Instead BDPU filter is to be avoided because it is just the opposite : it makes the ports silent and they cannot detect each other.

BPDU filter is to be used only on some L2 Service provider scenarios not inside an enterprise.

port security can help too.

I tested BPDU guard 4 years ago on CatOS and IOS switches and it worked the way I described above.

Hope to help

Giuseppe

John

I think Scott has hit the nail on the head. You could use port-security and we do to make sure that users don't connect hubs to their PC ports by limiting the amount of mac-addresses seen on the switchport. You could use BPDUGuard but that is assuming that the switches support these features. If they do great but quite often users can plug in their own switch/hub and create the very same problems.

So it really comes down to a security policy that all users are aware of and are also aware of the consequences if they do something they shouldn't.

There are a lot of features you can use to mitigate against these things and if the features are available then i would use them but in the end if a user wants to do something really stupid they probably will :-)

Jon

L2 best practices suggest disabling any unused ports.