dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1090
share rss forum feed

xdxml12

join:2012-10-26

Loops Vlans?

Hi All,

I have a current design that looks like this.

Several access switches connect to many booths throughout the office. This office is used for shows and customers plug in their devices into the available slots in the booths. But the problem I am having is that loops can easily occur and vlans being exchanged with new devices, because too often ppl bring their own switches and plug into the available ports. How do i stop this from happening. Sometimes 2 or 3 different customers use the same booth so I cannot do a mac adres sticky. I also want to keep broadcasts to minimum, they are killing the network. What is your advise?


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

Hello... SPANNING-TREE. That's the entire purpose for the thing.

If they're creating loops within their own gear, there's not much you can do about it. 'tho storm-control might help.


aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to xdxml12

Most likely the problem is that your network is allowing incoming BPDU frames from the customers' end, which should never happen. BPDU guard and similar protection should point you to the right direction.



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to xdxml12

get better customers.

bpduguard the edge ports. prevent them from taking over stp root bridge. run an rstp variant of stp.

q.



TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to xdxml12

What about port security?

Limit the number of MAC addresses per port to 1. If the switch sees more than 1, it shuts down the port. They then have to contact you to report a fault, and you'll probably know why, at which point you can serve them the rules about plugging extra switches in.


nosx

join:2004-12-27
00000
kudos:5

no no no, if you plan to allow people to bring their own switches et al, why dont you just turn on broadcast/multicast storm suppression at 0.01% of port speed.

When they create a loop it will be a minor annoyance and not result in any outage.


markysharkey
Premium
join:2012-12-20
united kingd
reply to xdxml12

As has been said already, make the ports access ports, switch off trunk negotiation (I know trunk negotiation is usually switched off by default when a static access port is configured but there is no harm in making the configuration) and enable BPDUGuard. I'd disable CDP on the "public" interfaces to prevent folk looking at the next hop details (no cdp enable under the interface).
I'd also ensure your switches have no ip http server / no ip https server configured to stop people jumping on to the web interface and making their own changes. Plus set a strong passwords for Telnet and SSH, or simply don't allow Telnet / SSH logins, again to prevent users making their own changes.
--
Binary is as easy as 01 10 11



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to nosx

said by nosx:

no no no, if you plan to allow people to bring their own switches et al, why dont you just turn on broadcast/multicast storm suppression at 0.01% of port speed.

When they create a loop it will be a minor annoyance and not result in any outage.

meh -- if you set erridisable recovery at like 10 seconds -- it'll be even more fun for you.
come on, nosx See Profile -- i expect you to be more playful. something like the catbert of the it realm.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."

nosx

join:2004-12-27
00000
kudos:5

Click for full size
You are right tubby, what was i thinking...

How about this:

Set up a different VLAN on every port to every different customer/booth/whatever and run it up to the same router.

If you detect a storm on a given vlan (set up bcast/mcast storm suppression) generate a log message caught by an EEM script that configures WCCP on the router:

Use a WCCP proxy on the linux box hanging off the router to perform upside-down-ternet proxying: »www.ex-parrot.com/pete/upside-do···net.html

The less enjoyable users will get the hint that they did something stupid, and will correct it to recieve the right-side-upternet again.

;-P

HELLFIRE
Premium
join:2009-11-25
kudos:16

Child's play. If we're talking Catbert-level, should generate something along the lines of an FBI "You have
been caught stealing on the internet" page :twisted:

Regards



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to nosx

much better.
playful.
twisted.

even better -- when they ask what was wrong -- say that the token ring on the cable must have been lost in the ether-net. ask them to find the token -- they have to before it'll work again.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


HELLFIRE
Premium
join:2009-11-25
kudos:16

...then hand them a live end of a fiber cable to look for the dropped token.

Regards


xdxml12

join:2012-10-26
reply to xdxml12

Thanks for the inputs. Ive decided to add bpdu gaurd and stop sending dtp to stop forming trunks. The private vlans was an interesting read. Thanks all.