03-07-2009 05:13 AM - edited 03-04-2019 03:50 AM
Hi,
We have cisco 4507 ; all department 2960 switches get connected to it.
How could I block different departments from cascading switches with department switches.
cisco4507=========2960====cascaded-switch2960
03-07-2009 05:15 AM
are you talking about devices on vlans not being able to talk to other devices on the same vlan but connected to a seperate switch - if the answer is yes, Private VLANS:-
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
HTH>
03-07-2009 09:14 PM
Set "spanning-tree portfast" on ports in which you do not expect a switch to be connected (in essence on ports on which no loop will occur due to a device being connected there).
Along with that set "spanning-tree bpduguard enable"
When connecting a switch to a bpdu guard enabled port, this port will become disabled automatically as spanning tree bpdu messages are not expected to come from those ports.
You may want to read more about bpdu guard
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
This can have limited success though if anyone puts in a switch without spanning tree running on it.
If that's the case a solution to consider is to limit the number of mac addresses that are allowed to communicate on that port.
If on any port the number of hosts is expected to be 1 (there will be 2 if on that port there is an ip phone as well) adjust the allowed maximum mac-addresses on that port.
This is done by enabling port-security
switchport port-security
switchport port-security maximum 1
switchport port-security violation {protect | restrict | shutdown}
for further information read
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: