I have a 3650G switch
Following is the confgiuration
Ports 1 & 2 are uplink ports
Ports 3 to 23 are access ports carrying data and vocie VLANS
port 24 is vlan1 for management purposes
I would like to prevent :
1. any user take a cable and plug that cable into the same switch ports to generate a storm.
2. any rogue device generating loops or starts giving dhcp ip addresses.
BPDU guard just blocks bpdus from coming into a port and will shut it down if it happens.But to configure it, check:
This still will not prevent a user from congesting a port and rogue devices from attaching. storm-control is like having a policer on the port so it might limit legitimate traffic from a good user.
The real solution for prevent rogue devices from a LAN security point of view is DHCP snooping + dynamic ARP inspection + IP source guard.
DHCP snooping keeps track of L2-L3 mappings by monitoring DHCP packets
DAI prevent ARP spoofing based upon the DHCP snooping information (prevents unknown MACs from ARPing on ports where they have not gone through DHCP)
IP source guard drops any IP traffic not from legitimate users in the DHCP snooping tables.
If you are interested in those features start here: