Reset Search
 

 

Article

Spanguard Considerations on EOS Switches

« Go Back

Information

 
TitleSpanguard Considerations on EOS Switches
Objective
Considerations for implementing Spanguard
Environment
  • SecureStack
  • K-Series
  • S-Series
Procedure
  • Spanguard prevents a switch from being added into the network without your knowledge  
  • A switch added on a port configured as True (End Station) will be disabled and all logging servers will receive a trap. The default is False (Non edge port). 

Guidelines for implementation:

  • Determine the present Spantree edge port status "show spantree operedge"
    • A port by default with no link reports as Non-Edge-Ports (same status as the uplink port)
    • To determine if this is an uplink: show port status or show mac port port#
  • Set adminedge ports to True for any PC on the port - set spantree adminedge port# true (This allows fast forwarding to the end users)
  • Set adminedge ports to False for any uplink ports and LAG ports (Default=false) - set spantree adminedge port# false
  • These Spanning Tree commands will sense the spantree BPDU on the edge port, lock the port and send traps of the event to a configured server
    • Enable spanningtree - set spantree enable 
    • set spantree adminedge <port_#> true 
    • Enable spanguard set spantree spanguard enable 
    • set spantree spanguardlock port# enable  
    • set spantree spanguardtrapenable enable
  • Isolate Spanning Tree where you are not sure if a connecting link is sending BPDU's into the switch 
    • Check the show Spanningtree stats active
    • List shows a set of ports that have contributed to offering their services as a root bridge
    • If Spanningtree topology changes stop, issue "set spantree portadmin port# disable" to prevent processing of BPDU's from the connecting switch.  If a loop has been formed down the road then you may allow a loop to start.
    • If the condition is corrected then your next step is to investigate why the connecting unit is sending BPDU's and address it
  • ​Disable all unused ports on the switch and put them in a VLAN that is not used for normal operations
  • Deploy hostprotect for the host port to provide protection against a MAC flooding attack or repeaters being added on a port 
  • Determine the present Spantree edge port status "show spantree operedge"
    • A port by default with no link reports as Non-Edge-Ports (same status as uplink ports)
    • To determine if this is an uplink use  show port status or show mac port port# to see if more than one MAC address is learned
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255