Hub/Switch - Restriction

Answered Question
Jan 15th, 2010

Hi

How do I restrict helpdesk or users from plugging hub or switch on the network.

If Hub/Switch is connected to the switchport then port turn down or disable.

What are other security recommendation for User_switch and BackBone Switch.

cheers

TOM

I have this problem too.
0 votes
Correct Answer by Ganesh Hariharan about 6 years 10 months ago

Hi Tom,

Genrally BPDU guard and root guard are similar, but their impact is different.       BPDU guard disables the port upon BPDU reception if PortFast is enabled on the       port. The disablement effectively denies devices behind such ports from       participation in STP. You must manually reenable the port that is put into       errdisable state or configure errdisable-timeout.

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
glen.grant Fri, 01/15/2010 - 11:36

   On a manageable switch configure port security so it will only allow a single mac address on the port , if someone plugs in a hub then as soon as he plugs another pc in it will shutdown the port .

tomfree_leo Fri, 01/15/2010 - 11:57

What steps are needed to configure port-security

Users will be changing desk due to shifts, hopefully mac adddress security wont irritate

krishnakumarr Sat, 01/16/2010 - 00:35

HI

We can't do any restictions on hub but we can do on manage switches

switchport                            -------------this command will enabe for switch port
switchport access vlan 10    ------------ Access vlan 10
switchport mode access      ------------- Port will act as access mode
switchport voice vlan 11      --------------Voice vlan
switchport port-security -------------------Enabliong port security
switchport port-security maximum 2 --this will alow the port  max 2 mac address , if the port learn 3rd mac address the port will automatically goes to shut down state
switchport port-security aging time 1 how frequet check the port
end


switchport
switchport access vlan 10
switchport mode access
switchport voice vlan 11
switchport port-security
  switchport port-security mac-address (mac-add)--------------only one mac-address will allow (which is binded that port - if learn another mac . the port will goes to shut down state
switchport port-security aging time 1
end

regards

krishna kumar

Ganesh Hariharan Sat, 01/16/2010 - 02:38

Hi Tom,

If you have threat that somebody will plug hub or switch in your network switch then best method which is recommended in switching envoronment is enable BPDU gaurd or root gaurd feature in switch.

The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

The Root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.

Following are the commands to enable BPDU gaurd in switch

spanning-tree portfast bpduguard

spanning-tree guard root


Configuring PortFast BPDU Guard on Switch-C

Switch-C# configure terminal
Switch-C(config)# spanning-tree portfast bpduguard

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

tomfree_leo Sat, 01/16/2010 - 04:05

Thanks ganesh

Steps you mentioned needs to be applied on BackBoneSwitch and EndUser Switch or just on EndUserSwitch

Its a VTP Domain and VTP Client setup for BackBone Switch and EndUser Switch

If Wireless Access-Point is installed on the switchport, will this is impacted

cheers

Tom

Ganesh Hariharan Sat, 01/16/2010 - 04:11

Tom.

As i have already stated BPDU gaurd and Root Gaurd are enabled at end user switch where you have threat that somebody will connect a switch or hub instaed of desktops PC.

BPDU and Root gaurd will help and make port inot err-disable.shutdown if it see any BPDU packets in that port so if you connec a wirell access point or any devices,It will work unless it sends some BPDU at that port then switch will make that port in not working state.

Hope that clear your query !!

If helpful do rate the vlauable post.

Regards

Ganesh.H

tomfree_leo Sat, 01/16/2010 - 04:18

Thanks

If the port goes into error disable state, how to clear the error disable state

Correct Answer
Ganesh Hariharan Sat, 01/16/2010 - 04:24

Hi Tom,

Genrally BPDU guard and root guard are similar, but their impact is different.       BPDU guard disables the port upon BPDU reception if PortFast is enabled on the       port. The disablement effectively denies devices behind such ports from       participation in STP. You must manually reenable the port that is put into       errdisable state or configure errdisable-timeout.

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

Actions

This Discussion