HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Deny Access to rogue switches.

 
SOLVED
Go to solution
Dave Harrold
Advisor

Deny Access to rogue switches.

I am looking to shutdown a port on a switch when someone plugs in a low end comsumer switch to the network.

The ports are set up as hybrid ports for VoIP and have stp edged-port enabled configured on them.

Any pointers would be appreciated.

 

Dave

12 REPLIES
16again
Respected Contributor

Re: Deny Access to rogue switches.

It's hard to detect unmanaged switch.    Users add such switches to add devices to the network,  s6you might consider using port security to limit # of MAC addresses per port and  the use of sticky addresses

johnk3r
Respected Contributor

Re: Deny Access to rogue switches.

Use the BPDU Guard feature + Edged-Port can help ...

**************************************
ATP FLEXNETWORK V3 | ACSA
16again
Respected Contributor

Re: Deny Access to rogue switches.

BPDU guard will only be triggered by devices running spanning tree.
Typical unmanaged SOHO switches don't run spanning tree

johnk3r
Respected Contributor

Re: Deny Access to rogue switches.

I imagined using the BPDU-GUARD to switch shuwtodwn edge- port when the BPDU receive, if any monitoring tool (IMC) would be possible to see which door was locked ...

The feature of BPDU GUARD not need the neighbor device running STP ...

**************************************
ATP FLEXNETWORK V3 | ACSA
Vince-Whirlwind
Honored Contributor
Solution

Re: Deny Access to rogue switches.

You have two issues to think about:

1. Somebody could plug in a dumb switch or a hub, then create a loop on it, the resulting broadcast storm gets passed up to your network via the single link it has to the network.
STP cannot help you for this. You need to configure loopback-detection.
Loopback-detection should be *very* high on your list of compulsory configs - ahead of DHCP snooping even.

2. Somebody could use the port for connecting some device you don't really want on your network, a switch (allowing multiple devices) or a WAP for example.
The easy thing to do to reduce this risk a little bit is to lock down the port to 2 MAC addresses max, which will be the first two MAC addresses the port sees after you configure it. If it sees any other MAC address, configure it to shutdown the port. Then the naughty users will self-report when they log a ticket with IT that their network is disconnected, which is a bonus.
Somewhat harder is a full-blown 802.1x setup where you control precisely what gets access via your ports.

16again
Respected Contributor

Re: Deny Access to rogue switches.

wouldn't bpdu-guard detect an attached switch/hub on which a loop is formed?
BPDUs will also be sent back because of the loop.

 

Vince-Whirlwind
Honored Contributor

Re: Deny Access to rogue switches.

There is no guarantee that a remote broadcast storm will have any BPDUs in it. Loop-protect is what I use to protect against this by having it enabled on all Access ports.

BPDU guard is good as well, applied to all Access ports, which is more to protect against local loops.

Transit ports to 3rd-party networks should have BPDU filter on them.

16again
Respected Contributor

Re: Deny Access to rogue switches.

Loop protect feature relies on special loop detection packets sent out by the switch being received back.

Seems to me like this is functional identical to STP and BPDU guard combo.  The switch sends out BPDUs, when one of them is received back, BPDU guard kicks in.

Mike_ES
Valued Contributor

Re: Deny Access to rogue switches.

16again
Respected Contributor

Re: Deny Access to rogue switches.

Michal,
Your link doesn't show how HP loop detection works, this one does:
http://lkhill.com/loop-detection-without-stp/

Mike_ES
Valued Contributor

Re: Deny Access to rogue switches.

Maybe not such detailed as your link to article (great details!), but basics are described well (please scroll down the article).

I think worth to look there due multi-port loopback-detection example.

Cheers!

Michal

Dave Harrold
Advisor

Re: Deny Access to rogue switches.

Thanks for the replies everyone.  Not to find some time to test out in a lab. :-)