Is there a way to keep this scenario from happening (other than not allowing users to connect a switch to their jack):
host -> user switch -> main switch -> router
We actually had this happen last night. In the user switch, a user connected one end of a cable to port 4 and the other end to port 3. This effectively brought the network down at this branch.
I've got a test setup here and I've implemented storm control, but this isn't keeping it from happening. I don't think bpduguard or bpdufilter will work either considering the port that the user switch connects to is already a designated port for spanning tree and forwarding.
Any suggestions or other tricks that could keep this from happening in the future?
As Edison says, the port-security is probably best.
If you *really* need to control "clever" users, then you also should set your TTL (Time-to-Live)such that if they drop in a consumer router (for NAT and expand ports) the TTL expires and there's no connection.
I hope the employee was fired for a violation of the policies. You *-DO-* have a policy, don't you?
I think Scott has hit the nail on the head. You could use port-security and we do to make sure that users don't connect hubs to their PC ports by limiting the amount of mac-addresses seen on the switchport. You could use BPDUGuard but that is assuming that the switches support these features. If they do great but quite often users can plug in their own switch/hub and create the very same problems.
So it really comes down to a security policy that all users are aware of and are also aware of the consequences if they do something they shouldn't.
There are a lot of features you can use to mitigate against these things and if the features are available then i would use them but in the end if a user wants to do something really stupid they probably will :-)
Yes, bpduguard will disable the port. However, I have seen instances where bpduguard fails after the switch attempts to automatically recover the port (I still have a TAC case open on this). I would use both bpduguard and port security. At least, that is what I am implementing right now.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...