Port security shuts down switch stack.

Answered Question

In one of our schools we have multiple Cat3750 stacks. Recently a student/teacher plugged an ethernet cable into two wall jacks and created a physical loop on one of the switches in the stack. When this happened all traffic leaving/entering the stack stopped and only traffic local to the stack would flow. Is there anything we can add/remove form our configuration that could prevent this from happening again.

Correct Answer by Edison Ortiz about 7 years 8 months ago

Adam,


As Global mentioned, spanning-tree bpdu-guard will prevent this issue in the future.


With that said, there are 2 ways of implementing this feature; global or interface level.


At the global level, you use the command spanning-tree portfast bpduguard default while at the interface level, you use the command spanning-tree bpduguard enable


The main difference of the two commands is that the global will only enable bpduguard protection on portfast enabled port, for instance client ports while the second command will enable bdpuguard at the interface level regardless its portfast status.


If you implement portfast only on client ports, the first option would be the recommended choice as you don't need to worry about not enabling bpduguard on inter-switch links (they don't have portfast enabled).


The second choice provides a higher degree of security but you need to be careful that isn't applied to a inter-switch link.


HTH,


__


Edison.


Please rate helpful posts


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
gesadmin1 Tue, 06/09/2009 - 04:23

bpdu-guard would be one thing to add under all physical interfaces that are in portfast mode. can you post the output from one of your interfaces so we can see what you've already got implemented??

Thank you for the suggestion. I am looking into the BPDU-guard feature. Here is the configuration for one of our interfaces.


interface FastEthernet4/0/25

switchport access vlan 16

switchport mode access

switchport port-security maximum 10

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos trust cos

storm-control broadcast level 2.00

storm-control action trap

spanning-tree portfast



Thanks again.

BrinksArgentina Tue, 06/09/2009 - 14:42

I use bpduguard at global level.

It's a good idea to configure a recovery timer.


</p><p>errdisable recovery cause bpduguard</p><p>errdisable recovery interval 30</p><p>!</p><p>spanning-tree portfast bpduguard default</p><p>




errdisable recovery interval

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml



Guido.

Please rate all the helpful comments.


Correct Answer
Edison Ortiz Tue, 06/09/2009 - 14:14

Adam,


As Global mentioned, spanning-tree bpdu-guard will prevent this issue in the future.


With that said, there are 2 ways of implementing this feature; global or interface level.


At the global level, you use the command spanning-tree portfast bpduguard default while at the interface level, you use the command spanning-tree bpduguard enable


The main difference of the two commands is that the global will only enable bpduguard protection on portfast enabled port, for instance client ports while the second command will enable bdpuguard at the interface level regardless its portfast status.


If you implement portfast only on client ports, the first option would be the recommended choice as you don't need to worry about not enabling bpduguard on inter-switch links (they don't have portfast enabled).


The second choice provides a higher degree of security but you need to be careful that isn't applied to a inter-switch link.


HTH,


__


Edison.


Please rate helpful posts


Actions

This Discussion