Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Switch down: Cable put between 2 ports

What can be done if someone put a cable between 2 ports on a switch and cause a switch to be down. Yes, we can disable the port but is there an another way to block the loop ?

switchport port-security could be useful ? Or maybe the switchport protected ?

interface FastEthernet0/22

description RTIS_SSN

switchport access vlan 172

storm-control broadcast level 80.00

storm-control multicast level 80.00

storm-control unicast level 80.00

storm-control action shutdown

storm-control action trap

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

!

interface FastEthernet0/23

description RTIS_SSN

switchport access vlan 172

storm-control broadcast level 80.00

storm-control multicast level 80.00

storm-control unicast level 80.00

storm-control action trap

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

Name: Fa0/22

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 172 (VLAN0172)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

Name: Fa0/23

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: On

Access Mode VLAN: 172 (VLAN0172)

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk Native VLAN tagging: enabled

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: ALL

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

Appliance trust: none

4 REPLIES
New Member

Re: Switch down: Cable put between 2 ports

Your config seems to have most of the configs to block a physical loop. BPDU Guard will do the job in this kind of issues.You can use sport security on a scenario in which some conects a switch whic wont send any BPDU's (I once faced a similar physical loop when we used a D-link L2 switch to extend out conf room LAN).So you can add port security as an additional step of security to limit the num of MAC limited on each port.

HTH

Ullas

New Member

Re: Switch down: Cable put between 2 ports

The broadcast or loop will increment the number of MAC address on a single port ?

I suggest to disable non-used port and maybe implement switchport protected between active ports who doesn't talk each other.

I think the person want to be sure that no bad cable will be plug in the switch and put the switch A down.

New Member

Re: Switch down: Cable put between 2 ports

I read that the bpdufilter takes precedence over the bpduguard feature so, the bpduguard do nothing in this situation.

I will suggest to disable bpdufilter and set the non-used port in disable state, switchport mode access. Maybe implement errdisable feature too.

Hall of Fame Super Silver

Re: Switch down: Cable put between 2 ports

Hello Jonathan,

bpuguard is the right tool in this scenario.

bpufilter can only create loops in this kind of scenario it is a tool for service providers to be used in some cases of L2 transport services to hide SP switches.

So you are in the right track.

For additional security if someone puts its own home switch you can consider to use also port security to put in errordisable ports where more then two mac addresses are learned.

There was another thread about this and I reported here a synthesis of it.

Hope to help

Giuseppe

243
Views
0
Helpful
4
Replies
CreatePlease to create content