Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12525
Views
0
Helpful
13
Replies

Prevent network loop

yoyo_the_king
Level 1
Level 1

‎04-28-2009 07:14 AM - edited ‎03-06-2019 05:25 AM

Hi all,

i have a question about how can i prevent a malintentioned user from:

plug in a Hub on point A on switch and plug the other interface on a hub to point B on the same switch.

and make a network loop.

i ask for hub because they aren't support stp and bpduguard can't detect it.

thanks in advance

Labels:
0 Helpful
13 Replies 13

rais
Level 7
Level 7

‎04-28-2009 07:20 AM

A switch, with STP enabled, would detect it because in effect the two ports on a switch are being connected together.

The BPDUs from one port on switch will show up on the other. This would shut one of the ports on switch down.

Thanks.

0 Helpful

yoyo_the_king
Level 1
Level 1
In response to rais

‎04-28-2009 07:33 AM

Hi, thanks for your response,

my case is like you plug in a cable on point A and plug the other end to point B on the same switch.

then the switch will detect bpdu of himself and shutdwon interfaces.

it's right?

0 Helpful

davy.timmermans
Level 4
Level 4
In response to yoyo_the_king

‎04-28-2009 07:44 AM

TRUE, if BPDUguard is configured on the ports

0 Helpful

yoyo_the_king
Level 1
Level 1
In response to davy.timmermans

‎04-28-2009 07:51 AM

and however portfast is configured too?

0 Helpful

davy.timmermans
Level 4
Level 4
In response to yoyo_the_king

‎04-28-2009 07:59 AM

it will work with or without portfast has been configured.

Off course it's a good practice (almost 'mandatory') to configure also portfast on access ports, thus ports connecting to end users. Otherwise the port will need to pass all STP states before it's able to request a DHCP address.

0 Helpful

yoyo_the_king
Level 1
Level 1
In response to davy.timmermans

‎04-28-2009 08:02 AM

thankyou verry much

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to yoyo_the_king

‎04-28-2009 08:28 AM

Hello Yoyo,

I'm not sure that with STP portfast enabled BPDU guard is enough to protect for this event: it should be but becomes a question of timing.

Hope to help

Giuseppe

0 Helpful

davy.timmermans
Level 4
Level 4
In response to Giuseppe Larosa

‎04-28-2009 10:33 AM

Hi Guiseppe,

what do you mean with a question of timing?

The configuration of BPDUguard and portfast are two independent parameters to configure.

Even if the ports become immediately forwarding, upon receipt of a BPDU inbound (viewpoint switch), the switchport will go in errdisable.

The only thing you may not configure is BPDUfilter

Or am I missing a rare situation where this is not the case?

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to davy.timmermans

‎04-28-2009 10:45 AM

Hello Davy,

I agree with you.

BPDU filter is something that should never be used in an enteprise network.

However, I remember a similar thread of some mounths ago, where other collegues were speaking of some bad experiences relying only on BPDU guard and were suggesting to combine it with port security.

So the message I've received is that there can be cases where BPDU guard is not enough.

It may be a question of timing or also of how much broadcast traffic is on the network when the event happens.

Hope to help

Giuseppe

0 Helpful

davy.timmermans
Level 4
Level 4
In response to Giuseppe Larosa

‎04-28-2009 10:50 AM

but if you connect only a hub or directly connect two ports with a single link, port-security won't help ;-)

But I got your point

edit:

port-security will finaly work when it receive other broadcasts than BPDU.

0 Helpful

davy.timmermans
Level 4
Level 4

‎04-28-2009 07:21 AM

if you configure BPDUguard on the access port, the port will go in errdisabled state.

But you may not configure BPDUfilter on the access port because this will prevent sending BPDU messages out on these ports.

The switch will send out BPDU messages out all forwarding ports. Thus also to the port where the hub is connected. The hub will forward it out all ports except the port it received the message. A port configured with BPDU guard will go into errdisabled upon receive of a BPDU

message.

0 Helpful

bretjaquish
Level 3
Level 3

‎04-28-2009 07:21 AM

Cisco Switch Port Security features can help you with this one.

BPDUGuard is great, but it only works with STP enabled devices. Regardless if its a switch or a hub.

The command for that port-security feature is:

Switchport port-security max XX

Just remember that you might want this higher than a value of 1, depending on your environment. Phones, Access Points, etc.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-28-2009 07:21 AM

Hello Yoyo,

STP BPDU guard can be effective or not in detecting this.

with portfast the risk is that a loop is created before the switch ports see each other BPDUs.

Other features you can use to further protect the network include:

storm-control

and port security with action error-disable and a low max MAC addresses on port.

Adding these two provide you further protection.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_40_se/configuration/guide/swtrafc.html

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card