- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Re: Deny Access to rogue switches.
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2016 11:28 AM
03-17-2016 11:28 AM
I am looking to shutdown a port on a switch when someone plugs in a low end comsumer switch to the network.
The ports are set up as hybrid ports for VoIP and have stp edged-port enabled configured on them.
Any pointers would be appreciated.
Dave
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2016 03:15 PM
03-17-2016 03:15 PM
Re: Deny Access to rogue switches.
It's hard to detect unmanaged switch. Users add such switches to add devices to the network, s6you might consider using port security to limit # of MAC addresses per port and the use of sticky addresses
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2016 12:00 PM
03-18-2016 12:00 PM
Re: Deny Access to rogue switches.
Use the BPDU Guard feature + Edged-Port can help ...
ATP FLEXNETWORK V3 | ACSA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2016 02:22 AM
03-19-2016 02:22 AM
Re: Deny Access to rogue switches.
BPDU guard will only be triggered by devices running spanning tree.
Typical unmanaged SOHO switches don't run spanning tree
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2016 08:45 PM
03-20-2016 08:45 PM
Re: Deny Access to rogue switches.
I imagined using the BPDU-GUARD to switch shuwtodwn edge- port when the BPDU receive, if any monitoring tool (IMC) would be possible to see which door was locked ...
The feature of BPDU GUARD not need the neighbor device running STP ...
ATP FLEXNETWORK V3 | ACSA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2016 09:07 PM
03-20-2016 09:07 PM
SolutionYou have two issues to think about:
1. Somebody could plug in a dumb switch or a hub, then create a loop on it, the resulting broadcast storm gets passed up to your network via the single link it has to the network.
STP cannot help you for this. You need to configure loopback-detection.
Loopback-detection should be *very* high on your list of compulsory configs - ahead of DHCP snooping even.
2. Somebody could use the port for connecting some device you don't really want on your network, a switch (allowing multiple devices) or a WAP for example.
The easy thing to do to reduce this risk a little bit is to lock down the port to 2 MAC addresses max, which will be the first two MAC addresses the port sees after you configure it. If it sees any other MAC address, configure it to shutdown the port. Then the naughty users will self-report when they log a ticket with IT that their network is disconnected, which is a bonus.
Somewhat harder is a full-blown 802.1x setup where you control precisely what gets access via your ports.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2016 01:10 AM
03-21-2016 01:10 AM
Re: Deny Access to rogue switches.
wouldn't bpdu-guard detect an attached switch/hub on which a loop is formed?
BPDUs will also be sent back because of the loop.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2016 06:51 PM
03-22-2016 06:51 PM
Re: Deny Access to rogue switches.
There is no guarantee that a remote broadcast storm will have any BPDUs in it. Loop-protect is what I use to protect against this by having it enabled on all Access ports.
BPDU guard is good as well, applied to all Access ports, which is more to protect against local loops.
Transit ports to 3rd-party networks should have BPDU filter on them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2016 12:55 AM
03-23-2016 12:55 AM
Re: Deny Access to rogue switches.
Loop protect feature relies on special loop detection packets sent out by the switch being received back.
Seems to me like this is functional identical to STP and BPDU guard combo. The switch sends out BPDUs, when one of them is received back, BPDU guard kicks in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2016 11:39 AM
03-23-2016 11:39 AM
Re: Deny Access to rogue switches.
Hi,
Here is the good explanation:
Enabling single-port loopback detection on an Ethernet interface
Michal