We have Cisco 4500X at the core and Cisco 3750 at the edge. I would like it so we can disable unmanaged switches on some ports on an edge switch. I don't want a particular group of users plugging them in.
How can i achieve this please?
On the interface, if you enable "spanning-tree BPDUGuard enable" the port will go into error-disable when BPDU is detected on the interface.
Following are the modes in which we can configure BPDU Gaurd in switches
spanning-tree bpduguard enable (Puts port in errdisable upon receiving any bpdu).
spanning-tree portfast bpduguard default (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu).
Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.
Thanks for the help. Someone else suggested doing it by limiting the number of mac addresses allowed on the port by using the following commands. What method would you use?
switchport port-security maximum 1
switchport port-security violation shutdown
You are most welcome.
This again is a very good option,however if ur switch port is connected to a hub supporting more than 1 user than in that case u would not be able to use this command as it would allow only one mac-address through it thus preventing other eligible data from legal hosts.But if u have only one host connected to that port then i would recommend it otherwise in a full fledged network the "spanning-tree bpduguard enable "is a good option.
Thanks. Just giving this a test. I put the above commands on the switch port but they don't appear when I do a show run. Why is that please?
Brill. So I have got the below from that command. Is this setup correctly to only allow 1 MAC address on that port?
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
yes as u can see it shows max mac addresses=1,meaning that total number of mac-addresses allowed are one and if it exceeds then violation will occur which will shutdown the port.
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Your later note, about using switch-port security, is probably your best option (because unmanaged switches and hubs aren't really visible - also unmanaged switches won't generate BPDUs).