Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
9
Helpful
4
Replies

Outside switch restriction

Shibu1978
Level 1
Level 1

‎06-02-2009 05:43 AM - edited ‎03-06-2019 06:02 AM

Dear All,

I would like to restrict outside Switches connecting to our network. its noticed that employees brings 8 port switches to work place and connecting to their lan port. from their they are extending to personal laptopes e.t.c

Heard that connecting High revision switches into network will washout entire vlan configuration of existing network.

How to restrict outside switches connecting to our network?

Thanks

Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎06-02-2009 05:48 AM

If your edge switches are Cisco, you can use bpduguard with portfast enabled on the ports that you want to protect. When the switch senses a bpdu on that port, the port will shut in an err-disabled state. You can have the port automatically reenable after it stops hearing bpdus by using:

"errdisable recovery cause bpduguard"

"errdisable recovery interval "

HTH,

John

HTH, John *** Please rate all useful posts ***

Amit Singh
Cisco Employee
Cisco Employee

‎06-02-2009 05:48 AM

You can use few IOS features for the same. Like Port-security with maximum count 1, BPDU guard to disable the port, BPDU filter, root guard etc...

Please go through some of the features here :

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_40_se/configuration/guide/scg.html

HTH

Edison Ortiz
Hall of Fame
Hall of Fame

‎06-02-2009 05:50 AM

The configuration of bpduguard on access-ports may alleviate the problem if the switches send bpdus.

As we know, most SOHO switches do not use bpdus so you are left with implementing port-security on the access-ports.

As to how many MAC-Addresses are allowed on each of the switchports, the answer is; it depends. If you have VoIP, then you need 2 MACs in the access-vlan and 1 MAC in the voice-vlan. If you don't have VoIP, then you can configure each switchport for 1 MAC.

HTH,

__

Edison.

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎06-02-2009 09:24 AM

"Heard that connecting High revision switches into network will washout entire vlan configuration of existing network. "

That's possible if it's a Cisco switch with VTP. There are VTP options to minimize or negate this risk, especially in the later VTP features.

"How to restrict outside switches connecting to our network? "

Difficult to do unless you're using some of the latest Cisco switches and access port authentication. Not positive, but I recall some switches might support a simple method to limit number of MACs allowed active on an access port. However, NAT type devices can hide number of devices behind single MAC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card