Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
679
Views
15
Helpful
5
Replies

Port security shuts down switch stack.

Go to solution
akern
Level 1
Level 1

‎06-09-2009 04:15 AM - edited ‎03-06-2019 06:09 AM

In one of our schools we have multiple Cat3750 stacks. Recently a student/teacher plugged an ethernet cable into two wall jacks and created a physical loop on one of the switches in the stack. When this happened all traffic leaving/entering the stack stopped and only traffic local to the stack would flow. Is there anything we can add/remove form our configuration that could prevent this from happening again.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎06-09-2009 02:14 PM

Adam,

As Global mentioned, spanning-tree bpdu-guard will prevent this issue in the future.

With that said, there are 2 ways of implementing this feature; global or interface level.

At the global level, you use the command spanning-tree portfast bpduguard default while at the interface level, you use the command spanning-tree bpduguard enable

The main difference of the two commands is that the global will only enable bpduguard protection on portfast enabled port, for instance client ports while the second command will enable bdpuguard at the interface level regardless its portfast status.

If you implement portfast only on client ports, the first option would be the recommended choice as you don't need to worry about not enabling bpduguard on inter-switch links (they don't have portfast enabled).

The second choice provides a higher degree of security but you need to be careful that isn't applied to a inter-switch link.

HTH,

__

Edison.

Please rate helpful posts

View solution in original post

5 Replies 5

Go to solution
gesadmin1
Level 1
Level 1

‎06-09-2009 04:23 AM

bpdu-guard would be one thing to add under all physical interfaces that are in portfast mode. can you post the output from one of your interfaces so we can see what you've already got implemented??

Go to solution
akern
Level 1
Level 1
In response to gesadmin1

‎06-09-2009 04:31 AM

Thank you for the suggestion. I am looking into the BPDU-guard feature. Here is the configuration for one of our interfaces.

interface FastEthernet4/0/25

switchport access vlan 16

switchport mode access

switchport port-security maximum 10

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

mls qos trust cos

storm-control broadcast level 2.00

storm-control action trap

spanning-tree portfast

Thanks again.

0 Helpful

Go to solution
BrinksArgentina
Level 1
Level 1
In response to akern

‎06-09-2009 02:42 PM

I use bpduguard at global level.

It's a good idea to configure a recovery timer.

errdisable recovery cause bpduguard

errdisable recovery interval 30

!

spanning-tree portfast bpduguard default

errdisable recovery interval

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml


Guido.

Please rate all the helpful comments.

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎06-09-2009 01:51 PM

Where is the spanning-tree bpduguard enable?

0 Helpful

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎06-09-2009 02:14 PM

Adam,

As Global mentioned, spanning-tree bpdu-guard will prevent this issue in the future.

With that said, there are 2 ways of implementing this feature; global or interface level.

At the global level, you use the command spanning-tree portfast bpduguard default while at the interface level, you use the command spanning-tree bpduguard enable

The main difference of the two commands is that the global will only enable bpduguard protection on portfast enabled port, for instance client ports while the second command will enable bdpuguard at the interface level regardless its portfast status.

If you implement portfast only on client ports, the first option would be the recommended choice as you don't need to worry about not enabling bpduguard on inter-switch links (they don't have portfast enabled).

The second choice provides a higher degree of security but you need to be careful that isn't applied to a inter-switch link.

HTH,

__

Edison.

Please rate helpful posts

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card