Wired Intelligent Edge

Hello,

how can i prevent users from using layer 1 switches like (D-Link,Toto link) on aruba 2930M switches
i uses commands ( admin edge ports and bpdu protection ) on ports but it didn't work, is there any other way?

------------------------------
Ahmed Elshindidy
------------------------------

Unless the switches are running spanning tree and sending BPDUs, your traditional detection will not work. You could look into limiting mac address on an edge port starting with port security ( https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch14s02.html )


------------------------------
Dustin Burns
------------------------------

Original Message:
Sent: Feb 15, 2021 03:35 AM
From: Ahmed Elshindidy
Subject: How to prevent users from using layer 1 switches on network

Hello,

how can i prevent users from using layer 1 switches like (D-Link,Toto link) on aruba 2930M switches
i uses commands ( admin edge ports and bpdu protection ) on ports but it didn't work, is there any other way?

------------------------------
Ahmed Elshindidy
------------------------------

Hello Ahmed,

As Dustin already suggested we use port-security for the exact same reason to prevent users from connecting their own switches. We use the config as shown below by default. This limits the number of simultaneous MAC-addresses per port to 1, learning the 1st MAC-address that connects and blocks any others.

ArubaOS-switch(config)# port-security <EDGE_PORT_LIST> learn-mode limited-continuous action send-alarm
ArubaOS-switch(config)# no port-security <ALL_PORT_LIST> eavesdrop-prevention​

Note that users can still connect their own switches, but as soon as they use 2 devices at the same time on their switch the 2nd device's MAC-address will be blocked, thus it can't access the network. Eventually users will end up at our IT Servicedesk so we can remove their switch and place our own or patch an extra port for the user to solve their problem.

Another note that a MAC-address limit of 1 might block users running VM's, or some VoIP solutions (when their PC is linked via their VoIP). In that case we up the MAC-address limit to the number needed for the user by adding the config like below.

ArubaOS-switch(config)# port-security <EDGE_PORT> address-limit <NUMBER_OF_SIMULTANEOUS_MAC-ADDRESSES>
​

Kind regards,
Niels Mejan,
University of Twente

------------------------------
Niels Mejan
------------------------------

Original Message:
Sent: Feb 15, 2021 08:46 AM
From: Dustin Burns
Subject: How to prevent users from using layer 1 switches on network

Unless the switches are running spanning tree and sending BPDUs, your traditional detection will not work. You could look into limiting mac address on an edge port starting with port security ( https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch14s02.html )


------------------------------
Dustin Burns

Original Message:
Sent: Feb 15, 2021 03:35 AM
From: Ahmed Elshindidy
Subject: How to prevent users from using layer 1 switches on network

Hello,

how can i prevent users from using layer 1 switches like (D-Link,Toto link) on aruba 2930M switches
i uses commands ( admin edge ports and bpdu protection ) on ports but it didn't work, is there any other way?

------------------------------
Ahmed Elshindidy
------------------------------

Original Message:
Sent: 2/15/2021 10:28:00 AM
From: Nelis
Subject: RE: How to prevent users from using layer 1 switches on network

Hello Ahmed,

As Dustin already suggested we use port-security for the exact same reason to prevent users from connecting their own switches. We use the config as shown below by default. This limits the number of simultaneous MAC-addresses per port to 1, learning the 1st MAC-address that connects and blocks any others.

ArubaOS-switch(config)# port-security <EDGE_PORT_LIST> learn-mode limited-continuous action send-alarm
ArubaOS-switch(config)# no port-security <ALL_PORT_LIST> eavesdrop-prevention​

Note that users can still connect their own switches, but as soon as they use 2 devices at the same time on their switch the 2nd device's MAC-address will be blocked, thus it can't access the network. Eventually users will end up at our IT Servicedesk so we can remove their switch and place our own or patch an extra port for the user to solve their problem.

Another note that a MAC-address limit of 1 might block users running VM's, or some VoIP solutions (when their PC is linked via their VoIP). In that case we up the MAC-address limit to the number needed for the user by adding the config like below.

ArubaOS-switch(config)# port-security <EDGE_PORT> address-limit <NUMBER_OF_SIMULTANEOUS_MAC-ADDRESSES>
​

Kind regards,
Niels Mejan,
University of Twente

------------------------------
Niels Mejan
------------------------------

Original Message:
Sent: Feb 15, 2021 08:46 AM
From: Dustin Burns
Subject: How to prevent users from using layer 1 switches on network

Unless the switches are running spanning tree and sending BPDUs, your traditional detection will not work. You could look into limiting mac address on an edge port starting with port security ( https://techhub.hpe.com/eginfolib/networking/docs/switches/WB/15-18/5998-8152_wb_2920_asg/content/ch14s02.html )


------------------------------
Dustin Burns

Original Message:
Sent: Feb 15, 2021 03:35 AM
From: Ahmed Elshindidy
Subject: How to prevent users from using layer 1 switches on network

Hello,

how can i prevent users from using layer 1 switches like (D-Link,Toto link) on aruba 2930M switches
i uses commands ( admin edge ports and bpdu protection ) on ports but it didn't work, is there any other way?

------------------------------
Ahmed Elshindidy
------------------------------