i have a question about how can i prevent a malintentioned user from:
plug in a Hub on point A on switch and plug the other interface on a hub to point B on the same switch.
and make a network loop.
i ask for hub because they aren't support stp and bpduguard can't detect it.
thanks in advance
A switch, with STP enabled, would detect it because in effect the two ports on a switch are being connected together.
The BPDUs from one port on switch will show up on the other. This would shut one of the ports on switch down.
Hi, thanks for your response,
my case is like you plug in a cable on point A and plug the other end to point B on the same switch.
then the switch will detect bpdu of himself and shutdwon interfaces.
it will work with or without portfast has been configured.
Off course it's a good practice (almost 'mandatory') to configure also portfast on access ports, thus ports connecting to end users. Otherwise the port will need to pass all STP states before it's able to request a DHCP address.
I'm not sure that with STP portfast enabled BPDU guard is enough to protect for this event: it should be but becomes a question of timing.
Hope to help
what do you mean with a question of timing?
The configuration of BPDUguard and portfast are two independent parameters to configure.
Even if the ports become immediately forwarding, upon receipt of a BPDU inbound (viewpoint switch), the switchport will go in errdisable.
The only thing you may not configure is BPDUfilter
Or am I missing a rare situation where this is not the case?
I agree with you.
BPDU filter is something that should never be used in an enteprise network.
However, I remember a similar thread of some mounths ago, where other collegues were speaking of some bad experiences relying only on BPDU guard and were suggesting to combine it with port security.
So the message I've received is that there can be cases where BPDU guard is not enough.
It may be a question of timing or also of how much broadcast traffic is on the network when the event happens.
Hope to help
but if you connect only a hub or directly connect two ports with a single link, port-security won't help ;-)
But I got your point
port-security will finaly work when it receive other broadcasts than BPDU.
if you configure BPDUguard on the access port, the port will go in errdisabled state.
But you may not configure BPDUfilter on the access port because this will prevent sending BPDU messages out on these ports.
The switch will send out BPDU messages out all forwarding ports. Thus also to the port where the hub is connected. The hub will forward it out all ports except the port it received the message. A port configured with BPDU guard will go into errdisabled upon receive of a BPDU
Cisco Switch Port Security features can help you with this one.
BPDUGuard is great, but it only works with STP enabled devices. Regardless if its a switch or a hub.
The command for that port-security feature is:
Switchport port-security max XX
Just remember that you might want this higher than a value of 1, depending on your environment. Phones, Access Points, etc.
STP BPDU guard can be effective or not in detecting this.
with portfast the risk is that a loop is created before the switch ports see each other BPDUs.
Other features you can use to further protect the network include:
and port security with action error-disable and a low max MAC addresses on port.
Adding these two provide you further protection.
Hope to help