Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

best practice for unmanaged switch to cisco switch

 

 In our environment, I have to allow some users to have a unmanaged switch which is connected to access port. 

 

 I put this configuration for each port which is connected to unmanaged switch (Netgear 8 port)

 

 interface GigabitEthernet1/0/47

 switchport port-security maximum 3
 spanning-tree guard root
end

 

 port-security maximum 3: only allow 3 mac

 spanning-tree guard root: just in case to protect root bridge if someone put managed switch with lower bridge ID. 

 

 I connected one cable from unmanaged switch to another port to make a loop for test. 

 It showed that switch got "Loop-back detected" and put err-disable port automatically. So I don' t need to worry about this.

 

Apr  7 18:33:01.370: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/47.
Apr  7 18:33:01.370: %PM-4-ERR_DISABLE: loopback error detected on Gi1/0/47, putting Gi1/0/47 in err-disable state
Apr  7 18:33:02.373: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/47, changed state to down
Apr  7 18:33:03.379: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/47, changed state to down
LAB_HQ_Fiber(config-if)#

 

 What are the option do you use usually to protect from unmanaged switch? 

 

 I am not able to use "spanning-tree bpduguard" because it will block a port 

 I can use "spanning-tree bpdufilter" to protect a STP area, but I don't think this is a big matter. 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

HelloIf you need to used

Hello

If you need to attached these kind of switches/hubs - Make sure you shutdown all unused ports on the managed switch so to limit any further unauthorized attachments looping back into the network from the unmanageable device, This way you can managed these unmanageable devices to a certain extent.

As for the stp root, you should manually set your stp priority on the managed switch to a low level anyway so as to not allow any other new device negotiate its self to become the root, and for the ports you are aware of that will have these devices attached, i would disable portfast and also advise against using bpdufilter as this negates the stp process.

Int range fa0/x -xxx
description unmanaged devices
no cdp enable

 

On all managed switches and on all ports you DONT expect to have unmanaged hubs/switches I would suggest to apply

spanning-tree loopguard default
udld enable
udld aggressive

 

int range fa0/x -xxx
description access ports

switchport port-security
switchport port-security aging type inactivity
switchport port-security violation restrict/shutdown
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
no cdp enable

 

One last thing I also wouldn't enable error recover either, as you would want to know the reason why your ports are erroring and not go chasing your tail as the reason why your having intermittent network issues.

 

res

Paul
 

Please don't forget to rate any posts that have been helpful. Thanks.
3 REPLIES
Hall of Fame Super Gold

The best practice is DON'T

The best practice is DON'T use an un-managed switch.  

 

You want an 8-port switch, Cisco has the some 8-port managed switches:  Cisco Catalyst 2960-C and 3560-C Series Compact Switches Data Sheet

 

Remember:  An un-managed switch is an UN-MANAGEABLE switch.

VIP Purple

HelloIf you need to used

Hello

If you need to attached these kind of switches/hubs - Make sure you shutdown all unused ports on the managed switch so to limit any further unauthorized attachments looping back into the network from the unmanageable device, This way you can managed these unmanageable devices to a certain extent.

As for the stp root, you should manually set your stp priority on the managed switch to a low level anyway so as to not allow any other new device negotiate its self to become the root, and for the ports you are aware of that will have these devices attached, i would disable portfast and also advise against using bpdufilter as this negates the stp process.

Int range fa0/x -xxx
description unmanaged devices
no cdp enable

 

On all managed switches and on all ports you DONT expect to have unmanaged hubs/switches I would suggest to apply

spanning-tree loopguard default
udld enable
udld aggressive

 

int range fa0/x -xxx
description access ports

switchport port-security
switchport port-security aging type inactivity
switchport port-security violation restrict/shutdown
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
no cdp enable

 

One last thing I also wouldn't enable error recover either, as you would want to know the reason why your ports are erroring and not go chasing your tail as the reason why your having intermittent network issues.

 

res

Paul
 

Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

Thanks for your input.  I can

Thanks for your input. 

 

I can't use span portfast which makes bpduguard on that port. 

But I understand why you suggested all options. Thanks. 

1397
Views
0
Helpful
3
Replies
CreatePlease to create content