Blocking cascading switches.

Unanswered Question
Mar 7th, 2009

Hi,

We have cisco 4507 ; all department 2960 switches get connected to it.

How could I block different departments from cascading switches with department switches.

cisco4507=========2960====cascaded-switch2960

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
c.captari Sat, 03/07/2009 - 21:14

Set "spanning-tree portfast" on ports in which you do not expect a switch to be connected (in essence on ports on which no loop will occur due to a device being connected there).

Along with that set "spanning-tree bpduguard enable"

When connecting a switch to a bpdu guard enabled port, this port will become disabled automatically as spanning tree bpdu messages are not expected to come from those ports.

You may want to read more about bpdu guard

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

This can have limited success though if anyone puts in a switch without spanning tree running on it.

If that's the case a solution to consider is to limit the number of mac addresses that are allowed to communicate on that port.

If on any port the number of hosts is expected to be 1 (there will be 2 if on that port there is an ip phone as well) adjust the allowed maximum mac-addresses on that port.

This is done by enabling port-security

switchport port-security

switchport port-security maximum 1

switchport port-security violation {protect | restrict | shutdown}

for further information read

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.1E/native/configuration/guide/port_sec.html

Actions

This Discussion