Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Hub/Switch - Restriction

Hi

How do I restrict helpdesk or users from plugging hub or switch on the network.

If Hub/Switch is connected to the switchport then port turn down or disable.

What are other security recommendation for User_switch and BackBone Switch.

cheers

TOM

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Hub/Switch - Restriction

Hi Tom,

Genrally BPDU guard and root guard are similar, but their impact is different.       BPDU guard disables the port upon BPDU reception if PortFast is enabled on the       port. The disablement effectively denies devices behind such ports from       participation in STP. You must manually reenable the port that is put into       errdisable state or configure errdisable-timeout.

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

9 REPLIES
Purple

Re: Hub/Switch - Restriction

   On a manageable switch configure port security so it will only allow a single mac address on the port , if someone plugs in a hub then as soon as he plugs another pc in it will shutdown the port .

New Member

Re: Hub/Switch - Restriction

What steps are needed to configure port-security

Users will be changing desk due to shifts, hopefully mac adddress security wont irritate

New Member

Re: Hub/Switch - Restriction

HI

We can't do any restictions on hub but we can do on manage switches

switchport                            -------------this command will enabe for switch port
switchport access vlan 10    ------------ Access vlan 10
switchport mode access      ------------- Port will act as access mode
switchport voice vlan 11      --------------Voice vlan
switchport port-security -------------------Enabliong port security
switchport port-security maximum 2 --this will alow the port  max 2 mac address , if the port learn 3rd mac address the port will automatically goes to shut down state
switchport port-security aging time 1 how frequet check the port
end


switchport
switchport access vlan 10
switchport mode access
switchport voice vlan 11
switchport port-security
  switchport port-security mac-address (mac-add)--------------only one mac-address will allow (which is binded that port - if learn another mac . the port will goes to shut down state
switchport port-security aging time 1
end

regards

krishna kumar

Re: Hub/Switch - Restriction

Hi Tom,

If you have threat that somebody will plug hub or switch in your network switch then best method which is recommended in switching envoronment is enable BPDU gaurd or root gaurd feature in switch.

The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.

The Root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a root-inconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.

Following are the commands to enable BPDU gaurd in switch

spanning-tree portfast bpduguard

spanning-tree guard root


Configuring PortFast BPDU Guard on Switch-C

Switch-C# configure terminal
Switch-C(config)# spanning-tree portfast bpduguard

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

New Member

Re: Hub/Switch - Restriction

Thanks ganesh

Steps you mentioned needs to be applied on BackBoneSwitch and EndUser Switch or just on EndUserSwitch

Its a VTP Domain and VTP Client setup for BackBone Switch and EndUser Switch

If Wireless Access-Point is installed on the switchport, will this is impacted

cheers

Tom

Re: Hub/Switch - Restriction

Tom.

As i have already stated BPDU gaurd and Root Gaurd are enabled at end user switch where you have threat that somebody will connect a switch or hub instaed of desktops PC.

BPDU and Root gaurd will help and make port inot err-disable.shutdown if it see any BPDU packets in that port so if you connec a wirell access point or any devices,It will work unless it sends some BPDU at that port then switch will make that port in not working state.

Hope that clear your query !!

If helpful do rate the vlauable post.

Regards

Ganesh.H

New Member

Re: Hub/Switch - Restriction

Thanks

If the port goes into error disable state, how to clear the error disable state

Re: Hub/Switch - Restriction

Hi Tom,

Genrally BPDU guard and root guard are similar, but their impact is different.       BPDU guard disables the port upon BPDU reception if PortFast is enabled on the       port. The disablement effectively denies devices behind such ports from       participation in STP. You must manually reenable the port that is put into       errdisable state or configure errdisable-timeout.

Hope that clear out your query !!

If helpful do rate the valuable post.

Regards

Ganesh.H

New Member

Re: Hub/Switch - Restriction

Thanks mate.

Its clear now

1120
Views
0
Helpful
9
Replies