Cisco Support Community
Community Member

Ports restriction


We need to restrict Layer 2 switch ports for blocking another switch connection.

Can any body guide me how to perform this task.



Everyone's tags (3)
Community Member

Ports restriction

Hello Faisal,

Could you please provide us additional information?

I have no idea what youare trying to prevent from happening.

Can you add a diagram and explain your situation in more detail.


Re: Ports restriction

Hi Faisal,

  • If you want to prevent let's say people connecting through an unmanaged switch to your access port, the best thing to do is to configure port security. You can also configure the maximum number of secure MAC addresses for the port (default is 1) using switchport port-security maximum NUMBER command. Since there are no protocols running on an unmanaged switch, how can you tell there is a switch in the first place? Well, just by the fact that there are multiple/different MAC addresses communicating on a single port. Upon receival of frames with different source MAC addresses the port is put into err-disable.

          Switch(config-if)#switchport port-security


  • If you want to prevent only managed switches (with STP running) from connecting to such port, use BPDU guard but I think that you are looking for the first solution here. Port with BPDU guard configured is put into err-disable upon receival of BPDU.

          Switch(config-if)#spanning-tree bpduguard enable

If you decide to configure port-security, have a look here:

or just ask further questions.

What exactly are you trying to do? What kind of port do you want to block and why? Please, let us know, so we can provide a better answer.

Best regards,


Community Member

Ports restriction

Thanks for ur reply...

I think we also configure Access switch VTP on client will also block access ports for unmanaged switches.

Port security need to define MAC addresses and we use multiple work stations on these ports.



Ports restriction


I think what you are asking is how to prevent unwanted switches being plugged into your network?

If so, the advice from Jan is the best.

BPDU Guard will only work for switches which use BPDU's and anybody technical could stop the switch sending them anyway so combine this with Port Security and limit the MAC addresses, you should be fairly well protected.

I would also advise setting all your user facing switchports to Access Ports only to prevent Trunks being formed (switchport mode access).

CreatePlease to create content