Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

prevent loops or storm

Hi

I have a 3650G switch

Following is the confgiuration

Ports 1 & 2 are uplink ports

Ports 3 to 23 are access ports carrying data and vocie VLANS

port 24 is vlan1 for management purposes

I would like to prevent :

1. any user take a cable and plug that cable into the same switch ports to generate a storm.

2. any rogue device generating loops or starts giving dhcp ip addresses.

please assist

Thanks

Asif

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: prevent loops or storm

BPDU guard just blocks bpdus from coming into a port and will shut it down if it happens.But to configure it, check:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swstpopt.html#wp1032048

This still will not prevent a user from congesting a port and rogue devices from attaching. storm-control is like having a policer on the port so it might limit legitimate traffic from a good user.

The real solution for prevent rogue devices from a LAN security point of view is DHCP snooping + dynamic ARP inspection + IP source guard.

DHCP snooping keeps track of L2-L3 mappings by monitoring DHCP packets

DAI prevent ARP spoofing based upon the DHCP snooping information (prevents unknown MACs from ARPing on ports where they have not gone through DHCP)

IP source guard drops any IP traffic not from legitimate users in the DHCP snooping tables.

If you are interested in those features start here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html#wp1058138

5 REPLIES

Re: prevent loops or storm

Hi Asif

You can enable BPDU Guard & Strom Control Feature on switch .

--- starts giving dhcp ip addresses. For this i think in network you should have an physical security to avoid this.

DHCP server can be install in Server machine & any user should not have rights to use server machine

And other that server team no one should able to start or stop  the services of any server.

Regards

Chetan Kumar

Community Member

Re: prevent loops or storm

Hi

Uplink ports

interface GigabitEthernet0/1
description DATA VLAN UPLINK
switchport access vlan 301
switchport mode access
!
interface GigabitEthernet0/2
description VOICE VLAN UPLINK
switchport access vlan 310
switchport mode access
!

i have the following config on all of the access ports

interface GigabitEthernet0/3
description User Access Ports
switchport access vlan 301
switchport mode access
switchport voice vlan 310
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
priority-queue out
mls qos trust cos
spanning-tree portfast

so what command to enable bpdu guard and to apply the settings on the interfaces

i think bpdu guard should not be enabled on up link ports

Thanks

Asif

VIP Super Bronze

Re: prevent loops or storm

Asif,

Here is the command to enable BPDU guard:

spanning-tree bpduguard enable

should be deployed on access ports only

Reza

Cisco Employee

Re: prevent loops or storm

BPDU guard just blocks bpdus from coming into a port and will shut it down if it happens.But to configure it, check:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swstpopt.html#wp1032048

This still will not prevent a user from congesting a port and rogue devices from attaching. storm-control is like having a policer on the port so it might limit legitimate traffic from a good user.

The real solution for prevent rogue devices from a LAN security point of view is DHCP snooping + dynamic ARP inspection + IP source guard.

DHCP snooping keeps track of L2-L3 mappings by monitoring DHCP packets

DAI prevent ARP spoofing based upon the DHCP snooping information (prevents unknown MACs from ARPing on ports where they have not gone through DHCP)

IP source guard drops any IP traffic not from legitimate users in the DHCP snooping tables.

If you are interested in those features start here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html#wp1058138

VIP Super Bronze

Re: prevent loops or storm

Asif,

In addition to Chetan comments, be aware that when you configure storm control on a port, it will be reset so you may want to do it during an outage window

HTH

Reza

940
Views
0
Helpful
5
Replies
CreatePlease to create content