Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

BPDU Guard capabilities

Status
Not open for further replies.
force5

force5

ISP
Nov 4, 2004
118
US
Hello,

We have 4 IDF closets that each hold a large stack of 3750X series switches. We also provide DSL access to our contractors via 1 modem in each closet plugs into a 2960G switch that mounts below the stack and is shared through the 2960. These contractors are bringing in wireless routers (set to DHCP) that I would like to prevent. I enabled BPDU Guard on the 2960G's along with the "violation" parameters, etc. However, BPDU will not shut down the port if they plug into the router's WAN port, no matter how many devices connect into the router. I have had the parameter set to 1 and it still will not shut down the port. I have tested this with wireless laptops connected and hard wire connections in the LAN ports. BPDU will ONLY shut down if the cable from DSL is plugged into one of LAN ports, which is very unlikely the contractos would use to tie into DSL.
Any help would be greatly appreciated!

Thank you,

Chad

Thanks,

Chad
Network Administrator
 
Sort by date Sort by votes
A router is not a switch, so it will never send you bpdu packets unless it is horribly configured.

The only way I can think of to block the wirless routers from being plugged in would be to use either port-security restriction based upon mac address or better yet 802.1x authentication.
 
Upvote 0 Downvote
Thanks baddos,

the 2 routers that I have noticed thus far also had LAN ports that they were sharing amongst in the cubicle cluster, so I thought BPDU packets would be sent via those ports. I already have port security enabled w/ MAC restrictions but that isn't working correctly either. Thanks for the advice, I will try 802.1x authentication. I've never set that up, are there any parameters that you recommend along with the authentication?

Cheers

Thanks,

Chad
Network Administrator
 
Upvote 0 Downvote
The way I am reading this is that you provide Internet access via DSL routers to contractors who bring in their own PC's. To provide the amount of layer-2 switchports you require you connect a 2960 switch to the DSL router and the contractors connect to this 2960? These are all isolated from your production network? Some of these contractors are bringing in consumer-class Ethernet routers that have WiFi (I assume to make their life easier by increasing the amount of Ethernet ports in their area and also allowing them to connect wirelessly). These routers will be NATing so to the switch will only appear as a single MAC address (the WAN port of the router) so port-security won't help you here.
I am a bit confused over why you are trying to prevent them doing this? They are isolated from your production network and are limited to 1-port on the switch so I can't see the problem? If you want to limit their bandwidth or what protocols they can use then build a QoS Service-Policy or simply knock the ports down to 10Mbps and apply ACLs that only allow the protocols you want them to use.

802.1x is a nice solution but not for contractors who bring in their own PC's.

Andy
 
Upvote 0 Downvote
Hi ADB100,
you are correct in your assessment. We provide DSL via our own in house Occam. We place modems out and share it through these 2960s. The DSL is not part of our corporate network.
The reason we want to stop this, is some of these contractors have a good relationship with some of our mobile users and allow them access to the DSL instead of being forced through our Blue Coat Proxy server, which is what we use to control our corporate network access. (the mobile users have the ability to turn off the proxy only when off of our network). So, even though we allow them off-net access when out of the office, we would like to restrict them from using off-net access while inside the office.
I was hoping on doing this through the switches that the DSL plugs into.

Thank you

Thanks,

Chad
Network Administrator
 
Upvote 0 Downvote
Not all things are solved with technology. You need to implement policies from management stating that this type of behavior is unacceptable and if anyone is found doing it they will be terminated. Also, what is stopping them from connecting via MiFi/mobile hotspots??

Technology based solutions could include:
- lock down their workstations so that the only SSID's they can connect to are the ones you define. This wouldn't stop them from connecting with a hardwire, but it stops the easy wireless access. another potential downside is that it will impact their wireless access while at home or on the road
- implement a solution such as Forescout so that you can do away with the separate DSL solution. you can dynamically provision ports based on the profile of the endpoint. this can let you grant access to the contractors and still keep your network highly secured.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

chipk
  • Locked
  • Question
2801 FW/VPN Capabilities?
Replies
7
Views
40
chipk
chipk
vincesl
  • Locked
  • Question
cisco Anomaly guard faild to create dynamic filters
Replies
0
Views
23
vincesl
vincesl
ITtech101
  • Locked
  • Question
root guard
Replies
2
Views
42
KiscoKid
KiscoKid
pingerang
  • Locked
  • Question
Preventing BPDUs from traversing Trunk 1
Replies
2
Views
50
raftaman
raftaman
tyroon
  • Locked
  • Question
How can I know the capabilities of the IOS image my router has ?
Replies
6
Views
45
qz01gs
qz01gs

Part and Inventory Search

Sponsor

Back
Top