Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Blocking unmanaged switch

Hi,

Does anyone know how to block unmanaged switch? I mean, if someone plug the unmanaged switch (dlink, etc) to cisco switch, the port on cisco switch automatically become errdisable.

i've configured bpduguard, but it didnt help.

Thanks,

Cornelius

  • LAN Switching and Routing
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Blocking unmanaged switch

hi cornelius,

bpduguard is not helpful for this situation, as it would only make sense if you have STP enabled and would not even then be helpful for your problem.

try port security and configure with that feature only mac address which are allowed to connect to that port. so the switch actually shouldnt trigger the port security feature, but as soon as clients get connected to the unmanaged switch and try to communicate with the cisco, the port should get blocked, or whatever you have configured.

but in generall i would suggest to shut down unused ports.

regards,

florian

6 REPLIES
New Member

Blocking unmanaged switch

hi cornelius,

bpduguard is not helpful for this situation, as it would only make sense if you have STP enabled and would not even then be helpful for your problem.

try port security and configure with that feature only mac address which are allowed to connect to that port. so the switch actually shouldnt trigger the port security feature, but as soon as clients get connected to the unmanaged switch and try to communicate with the cisco, the port should get blocked, or whatever you have configured.

but in generall i would suggest to shut down unused ports.

regards,

florian

Hall of Fame Super Gold

Re: Blocking unmanaged switch

I mean, if someone plug the unmanaged switch (dlink, etc) to cisco switch, the port on cisco switch automatically become errdisable.

i've configured bpduguard, but it didnt help.

What do you mean it didn't help?  Switch, whether un-managed or not, talk BPDU so "bpduguard" should've disabled a port once BPDU packet is heard.  The only reason it wouldn't work is if:

1.  errordisable recovery is enabled; or

2.  bpdufilter is enabled; or

3.  It ain't a switch and most likely a hub.

If it's a hub, then enable port-security to allow only 1 MAC address.

switchport port-security

switchport port-security violation restrict

Blocking unmanaged switch

>>Switch, whether un-managed or not, talk BPDU

Question, why would an unmanaged switch been sending BPDU's?  I always thought for the most part unmanaged switches do not send BPDUs.

Hall of Fame Super Silver

Blocking unmanaged switch

BPDUs or Bridge Protocol Data Units are sent out ports that the switch has reason to believe are candidates to participate in a spanning tree instance. Most switches (managed or not), unless specifically configured otherwise (e.g. Cisco commands like "no spanning-tree" for the VLAN a given port is assigned to or other such configuration), believe all ports to be candidates to connect to other switches thus send out BPDUs to check the neighboring device's ability and willingness to participate in creation and maintenance of a spanning tree.

One of the main purposes of a spanning tree is to properly establish a non-looping broadcast domain. Achieving that purpose is necessary for proper network operation and a multi-switch environment whether or not a given switch is managed.

Blocking unmanaged switch

Thanks for that clarification mklemovitch

New Member

Blocking unmanaged switch

I've checked for Dlink 1008D, it doesnt sent BPDUs and i couldnt see the mac address also.

Well i think, It switch but acting like a hub. Umm... port-security would be great solution i guess...

Thanks

1162
Views
4
Helpful
6
Replies
This widget could not be displayed.