06-11-2010 10:19 AM - edited 03-06-2019 11:32 AM
Hi
I have a 3650G switch
Following is the confgiuration
Ports 1 & 2 are uplink ports
Ports 3 to 23 are access ports carrying data and vocie VLANS
port 24 is vlan1 for management purposes
I would like to prevent :
1. any user take a cable and plug that cable into the same switch ports to generate a storm.
2. any rogue device generating loops or starts giving dhcp ip addresses.
please assist
Thanks
Asif
Solved! Go to Solution.
06-11-2010 11:48 AM
BPDU guard just blocks bpdus from coming into a port and will shut it down if it happens.But to configure it, check:
This still will not prevent a user from congesting a port and rogue devices from attaching. storm-control is like having a policer on the port so it might limit legitimate traffic from a good user.
The real solution for prevent rogue devices from a LAN security point of view is DHCP snooping + dynamic ARP inspection + IP source guard.
DHCP snooping keeps track of L2-L3 mappings by monitoring DHCP packets
DAI prevent ARP spoofing based upon the DHCP snooping information (prevents unknown MACs from ARPing on ports where they have not gone through DHCP)
IP source guard drops any IP traffic not from legitimate users in the DHCP snooping tables.
If you are interested in those features start here:
06-11-2010 11:03 AM
Hi Asif
You can enable BPDU Guard & Strom Control Feature on switch .
--- starts giving dhcp ip addresses. For this i think in network you should have an physical security to avoid this.
DHCP server can be install in Server machine & any user should not have rights to use server machine
And other that server team no one should able to start or stop the services of any server.
Regards
Chetan Kumar
06-11-2010 11:38 AM
Hi
Uplink ports
interface GigabitEthernet0/1
description DATA VLAN UPLINK
switchport access vlan 301
switchport mode access
!
interface GigabitEthernet0/2
description VOICE VLAN UPLINK
switchport access vlan 310
switchport mode access
!
i have the following config on all of the access ports
interface GigabitEthernet0/3
description User Access Ports
switchport access vlan 301
switchport mode access
switchport voice vlan 310
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
priority-queue out
mls qos trust cos
spanning-tree portfast
so what command to enable bpdu guard and to apply the settings on the interfaces
i think bpdu guard should not be enabled on up link ports
Thanks
Asif
06-11-2010 11:46 AM
Asif,
Here is the command to enable BPDU guard:
spanning-tree bpduguard enable
should be deployed on access ports only
Reza
06-11-2010 11:48 AM
BPDU guard just blocks bpdus from coming into a port and will shut it down if it happens.But to configure it, check:
This still will not prevent a user from congesting a port and rogue devices from attaching. storm-control is like having a policer on the port so it might limit legitimate traffic from a good user.
The real solution for prevent rogue devices from a LAN security point of view is DHCP snooping + dynamic ARP inspection + IP source guard.
DHCP snooping keeps track of L2-L3 mappings by monitoring DHCP packets
DAI prevent ARP spoofing based upon the DHCP snooping information (prevents unknown MACs from ARPing on ports where they have not gone through DHCP)
IP source guard drops any IP traffic not from legitimate users in the DHCP snooping tables.
If you are interested in those features start here:
06-11-2010 11:43 AM
Asif,
In addition to Chetan comments, be aware that when you configure storm control on a port, it will be reset so you may want to do it during an outage window
HTH
Reza
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: