Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Disbale Unmanaged Switches

HI,

We have Cisco 4500X at the core and Cisco 3750 at the edge. I would like it so we can disable unmanaged switches on some ports on an edge switch. I don't want a particular group of users plugging them in.

How can i achieve this please?

Thanks

11 REPLIES
Hall of Fame Super Gold

On the interface, if you

On the interface, if you enable "spanning-tree BPDUGuard enable" the port will go into error-disable when BPDU is detected on the interface.

New Member

 Hello, Following are the

 

Hello,

 

Following are the modes in which we can configure BPDU Gaurd in switches

 

Interface mode:

 

spanning-tree bpduguard enable                       (Puts port in errdisable upon receiving any bpdu).

 

Global mode:

 

spanning-tree portfast bpduguard default           (It enables bpduguard on ports that have port-fast configuration, puts port in errdisable upon receiving a bpdu).

 

Once BPDU Guard is enabled it will keep an eye open for any BPDU's entering the access ports. The only devices which can reliably create and transmit BPDU's are switches.Our main aim to have a predictable topology and not allow other switches outside our control onto our network. If a rogue switch is introduced into our topology it will in most cases transmit a BPDU, if the rogue switch has "better" values than the existing Root Bridge it will cause a topology change in the switched network. Any topology change is bad news for the users.

New Member

Thanks for the help. Someone

Thanks for the help. Someone else suggested doing it by limiting the number of mac addresses allowed on the port by using the following commands. What method would you use?

Thanks

 

switchport port-security maximum 1
switchport port-security violation shutdown

 

New Member

 You are most welcome.This

 

You are most welcome.

This again is a very good option,however if ur switch port is connected to a hub supporting more than 1 user than in that case u would not be able to use this command as it would allow only one mac-address through it thus preventing other eligible data from legal hosts.But if u have only one host connected to that port then i would recommend it otherwise in a full fledged network the "spanning-tree bpduguard enable "is a good option.

 

Thanks

New Member

Thanks. Just giving this a

Thanks. Just giving this a test. I put the above commands on the switch port but they don't appear when I do a show run. Why is that please?

 

thanks 

New Member

 Those will appear under

 

Those will appear under command:

Switch#sh port-security interface (interface name)

New Member

Brill. So I have got the

Brill. So I have got the below from that command. Is this setup correctly to only allow 1 MAC address on that port?

thanks 

Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0

New Member

 yes as u can see it shows

 

yes as u can see it shows max mac addresses=1,meaning that total number of mac-addresses allowed are one and if it exceeds then violation will occur which will shutdown the port.

Thanks

New Member

Thanks. Will give this a go.

Thanks. Will give this a go.

New Member

 you are welcome

 

you are welcome

Super Bronze

DisclaimerThe Author of this

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Your later note, about using switch-port security, is probably your best option (because unmanaged switches and hubs aren't really visible - also unmanaged switches won't generate BPDUs).

 

113
Views
0
Helpful
11
Replies
CreatePlease to create content