Blocking cascading switches.

Unanswered Question
Mar 7th, 2009
User Badges:


We have cisco 4507 ; all department 2960 switches get connected to it.

How could I block different departments from cascading switches with department switches.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
c.captari Sat, 03/07/2009 - 21:14
User Badges:
  • Bronze, 100 points or more

Set "spanning-tree portfast" on ports in which you do not expect a switch to be connected (in essence on ports on which no loop will occur due to a device being connected there).

Along with that set "spanning-tree bpduguard enable"

When connecting a switch to a bpdu guard enabled port, this port will become disabled automatically as spanning tree bpdu messages are not expected to come from those ports.

You may want to read more about bpdu guard

This can have limited success though if anyone puts in a switch without spanning tree running on it.

If that's the case a solution to consider is to limit the number of mac addresses that are allowed to communicate on that port.

If on any port the number of hosts is expected to be 1 (there will be 2 if on that port there is an ip phone as well) adjust the allowed maximum mac-addresses on that port.

This is done by enabling port-security

switchport port-security

switchport port-security maximum 1

switchport port-security violation {protect | restrict | shutdown}

for further information read


This Discussion