Solved: Blocking unmanaged switch

corneliusar · ‎11-14-2011

Hi,

Does anyone know how to block unmanaged switch? I mean, if someone plug the unmanaged switch (dlink, etc) to cisco switch, the port on cisco switch automatically become errdisable.

i've configured bpduguard, but it didnt help.

Thanks,

Cornelius

flokki123 · ‎11-14-2011

hi cornelius,

bpduguard is not helpful for this situation, as it would only make sense if you have STP enabled and would not even then be helpful for your problem.

try port security and configure with that feature only mac address which are allowed to connect to that port. so the switch actually shouldnt trigger the port security feature, but as soon as clients get connected to the unmanaged switch and try to communicate with the cisco, the port should get blocked, or whatever you have configured.

but in generall i would suggest to shut down unused ports.

regards,

florian

View solution in original post

flokki123 · ‎11-14-2011

hi cornelius,

bpduguard is not helpful for this situation, as it would only make sense if you have STP enabled and would not even then be helpful for your problem.

try port security and configure with that feature only mac address which are allowed to connect to that port. so the switch actually shouldnt trigger the port security feature, but as soon as clients get connected to the unmanaged switch and try to communicate with the cisco, the port should get blocked, or whatever you have configured.

but in generall i would suggest to shut down unused ports.

regards,

florian

Leo Laohoo · ‎11-14-2011

I mean, if someone plug the unmanaged switch (dlink, etc) to cisco switch, the port on cisco switch automatically become errdisable.

i've configured bpduguard, but it didnt help.

What do you mean it didn't help? Switch, whether un-managed or not, talk BPDU so "bpduguard" should've disabled a port once BPDU packet is heard. The only reason it wouldn't work is if:

1. errordisable recovery is enabled; or

2. bpdufilter is enabled; or

3. It ain't a switch and most likely a hub.

If it's a hub, then enable port-security to allow only 1 MAC address.

switchport port-security

switchport port-security violation restrict

jimmysands73_2 · ‎11-14-2011

>>Switch, whether un-managed or not, talk BPDU

Question, why would an unmanaged switch been sending BPDU's? I always thought for the most part unmanaged switches do not send BPDUs.

Marvin Rhoads · ‎11-14-2011

BPDUs or Bridge Protocol Data Units are sent out ports that the switch has reason to believe are candidates to participate in a spanning tree instance. Most switches (managed or not), unless specifically configured otherwise (e.g. Cisco commands like "no spanning-tree" for the VLAN a given port is assigned to or other such configuration), believe all ports to be candidates to connect to other switches thus send out BPDUs to check the neighboring device's ability and willingness to participate in creation and maintenance of a spanning tree.

One of the main purposes of a spanning tree is to properly establish a non-looping broadcast domain. Achieving that purpose is necessary for proper network operation and a multi-switch environment whether or not a given switch is managed.

jimmysands73_2 · ‎11-15-2011

Thanks for that clarification mklemovitch

corneliusar · ‎11-14-2011

I've checked for Dlink 1008D, it doesnt sent BPDUs and i couldnt see the mac address also.

Well i think, It switch but acting like a hub. Umm... port-security would be great solution i guess...

Thanks