01-15-2010 11:31 AM - edited 03-06-2019 09:19 AM
Hi
How do I restrict helpdesk or users from plugging hub or switch on the network.
If Hub/Switch is connected to the switchport then port turn down or disable.
What are other security recommendation for User_switch and BackBone Switch.
cheers
TOM
Solved! Go to Solution.
01-16-2010 04:24 AM
Hi Tom,
Genrally BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.
Hope that clear out your query !!
If helpful do rate the valuable post.
Regards
Ganesh.H
01-15-2010 11:36 AM
On a manageable switch configure port security so it will only allow a single mac address on the port , if someone plugs in a hub then as soon as he plugs another pc in it will shutdown the port .
01-15-2010 11:57 AM
What steps are needed to configure port-security
Users will be changing desk due to shifts, hopefully mac adddress security wont irritate
01-16-2010 12:35 AM
HI
We can't do any restictions on hub but we can do on manage switches
switchport -------------this command will enabe for switch port
switchport access vlan 10 ------------ Access vlan 10
switchport mode access ------------- Port will act as access mode
switchport voice vlan 11 --------------Voice vlan
switchport port-security -------------------Enabliong port security
switchport port-security maximum 2 --this will alow the port max 2 mac address , if the port learn 3rd mac address the port will automatically goes to shut down state
switchport port-security aging time 1 how frequet check the port
end
switchport
switchport access vlan 10
switchport mode access
switchport voice vlan 11
switchport port-security
switchport port-security mac-address (mac-add)--------------only one mac-address will allow (which is binded that port - if learn another mac . the port will goes to shut down state
switchport port-security aging time 1
end
regards
krishna kumar
01-16-2010 02:38 AM
Hi Tom,
If you have threat that somebody will plug hub or switch in your network switch then best method which is recommended in switching envoronment is enable BPDU gaurd or root gaurd feature in switch.
The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.
The Root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.
Following are the commands to enable BPDU gaurd in switch
spanning-tree portfast bpduguard
spanning-tree guard root
Configuring PortFast BPDU Guard on Switch-C
Switch-C# configure terminal
Switch-C(config)# spanning-tree portfast bpduguard
Hope that clear out your query !!
If helpful do rate the valuable post.
Regards
Ganesh.H
01-16-2010 04:05 AM
Thanks ganesh
Steps you mentioned needs to be applied on BackBoneSwitch and EndUser Switch or just on EndUserSwitch
Its a VTP Domain and VTP Client setup for BackBone Switch and EndUser Switch
If Wireless Access-Point is installed on the switchport, will this is impacted
cheers
Tom
01-16-2010 04:11 AM
Tom.
As i have already stated BPDU gaurd and Root Gaurd are enabled at end user switch where you have threat that somebody will connect a switch or hub instaed of desktops PC.
BPDU and Root gaurd will help and make port inot err-disable.shutdown if it see any BPDU packets in that port so if you connec a wirell access point or any devices,It will work unless it sends some BPDU at that port then switch will make that port in not working state.
Hope that clear your query !!
If helpful do rate the vlauable post.
Regards
Ganesh.H
01-16-2010 04:18 AM
Thanks
If the port goes into error disable state, how to clear the error disable state
01-16-2010 04:24 AM
Hi Tom,
Genrally BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout.
Hope that clear out your query !!
If helpful do rate the valuable post.
Regards
Ganesh.H
01-16-2010 04:36 AM
Thanks mate.
Its clear now
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: