Template(best practice) for Switch ports

Unanswered Question
Oct 8th, 2009

Hi,

Looking for best practice advice on switchport config for client facing ports.

We recently had an incident where an access port turned into a trunk(trunk mode desirable), which we obviously do not want to happen again!

For Access Ports(First two should stop DTP I'm hoping?):

switchport mode access

switchport nonegotiate

storm-control broadcast level 20.00

storm-control action trap

no cdp enable

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree guard root

switchport port-security maximum 10

switchport port-security

switchport port-security aging time 10

And for trunk ports to clients:

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan xxx,xxx

switchport nonegotiate

storm-control broadcast level 20.00

storm-control action trap

no cdp enable

spanning-tree bpdufilter enable

spanning-tree guard root

Thanks in advance.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Leo Laohoo Thu, 10/08/2009 - 17:15

For access, I'd rather use "spanning-tree bpduguard enable" instead of "bpduguardfilter".

For your trunks, if you have fibre optics, I'd look at putting "udld port aggressive". Take not that 2940/2950 or 2960 won't accept the command "switchport trunk encapsulation dot1q" because their default is already dot1q.

Depending on the IOS you are using, try using SmartPort macros.

Configuring SmartPort Macros

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_18_se/configuration/guide/swmacro.html

Giuseppe Larosa Thu, 10/08/2009 - 21:43

Hello John,

I agre with Leo: stay away from spanning-tree bpdu filter.

There can be some security focused case studies suggesting it but it is really not the right tool in an enterprise network.

use spanning-tree bpuguard instead also on trunk ports to clients.

remove also spanning-tree guard root and use only bpuguard.

you can put storm control at lower levels (we use 1.00% on /24 subnets on GE ports)

And I would leave it to drop execeeding traffic instead of simply sending a trap.

storm control is effective in helping during bridge loops and broadcast storms.

About port security:

be aware that using port security means using a separate smaller CAM table: you may find yourself out of space if you allow 10 mac address per port.

I would suggest for user ports to use 3 to allow a simple cable swap between two NICs.

You are right about DTP it should be disabled with

switchport mode access

switchport nonegotiate

Hope to help

Giuseppe

johnelliot6 Sat, 10/31/2009 - 17:13

Hi Guys,

With the following config(On trunk port), port will go into err-disable if bpdu is received.

spanning-tree bpduguard enable

But with the following, it will only filter bpdu's correct?

spanning-tree bpdufilter enable

spanning-tree guard root

Wouldn't the second option be preferred?

Reason is that I do not control what an client has configured on there connecting trunk port, therefore, we could receive bpdu's...which would result in the port shutting down?

Thanks.

a.cruea1980 Sat, 10/31/2009 - 20:02

Look here: http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/E_B_SDC1.html#wp68930

That's Cisco's branch design doc from Design Zone.

For those that want a fast answer:

For VoIP phones and PC:

interface GigabitEthernet1/0/6 - interface GigabitEthernet1/0/23

description phone with PC connected to phone

switchport access vlan 102

switchport mode access

switchport voice vlan 101

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

ip arp inspection limit rate 100

load-interval 30

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

mls qos trust device cisco-phone

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

ip dhcp snooping limit rate 100

!

For data only:

interface GigabitEthernet1/0/24- interface GigabitEthernet1/0/28

description DATA only ports

switchport access vlan 102

switchport mode access

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

ip arp inspection limit rate 100

load-interval 30

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

spanning-tree portfast

spanning-tree bpduguard enable

ip verify source

ip dhcp snooping limit rate 100

!

That's Cisco's recommendation.

And just my opinion is that I'd much rather shut a port down that receives a BPDU than just filter it. Reason being that you can't trust users not to do something stupid, like hook two switch ports to the same switch they're using at their desk in an effort to "make the network faster". For two, if someone malicious plugs in a switch into your environment, shut the port down. . .that makes it hard for them to do anything malicious.

johnelliot6 Sat, 10/31/2009 - 20:19

Thanks for the link.

I guess my issue is that we have trunk ports to "clients" that we also receive services over..therefore if the port goes into err-disable due to bpdu being received, a lot of our clients are affected.

In this type of environment, is bpdufilter and guard root a better option?

iyde Sun, 11/01/2009 - 09:30

Hi.

First, you are aware of the possibilities of the errdisable recovery commands?

Secondly, if you have things like services etc. coming over an interface it sounds to me like a trunk port. Bpduguard and guard root is, as far as am aware, to be used on access client ports. In other words, on all interfaces with end-users, you use them, but on trunks and ports where you have services you will not use them.

If you are sure about what gets conencted to a port, like e.g. a connection to your Service Provider, then bpdufilter will be the best option because it disconnects your Spanning Tree domain from the Spanning Tree domain of the SP.

HTH, Ingolf

pathak_mrinal Fri, 04/24/2015 - 19:49

PortFast should be configured only on ports that are connected to end host devices that terminate VLANs and from which the port should never receive STP BPDUs.

For Access Ports that terminate VLANs (eg. ports that connect to an end-station), enable STP PortFast:

Switch(config-if)# spanning-tree portfast

For Access Ports that propagate VLANs (eg. ports that connect to another switch or a port that connects to a router for bridging), disable STP PortFast:

Switch(config-if)# spanning-tree portfast disable

 

While BPDU Guard should be configured along with PortFast to shut down PortFast-enabled ports if they receive a BPDU. 

Global command to enable BPDU Guard on all ports where STP PortFast is enabled:

Switch(config)# spanning-tree portfast bpduguard default

Disable BPDU Guard on trunk ports that propagate VLANs to avoid trunk ports going into err-disabled/shut down state:

Switch(config-if)#spanning-tree bpduguard disable

Actions

This Discussion