My concern is that the port will get shutoff with spangled so everyone loses but with maclock and macauth The one user will get onto the network and block the Cisco Jason
On Mar 9, 2011, at 4:32 PM, "William Olive" <[email protected]<mailto:[email protected]>> wrote: Nick I set up a test bench with this scenario, using a D2, a Cisco 3550 and a Cisco 7960. 1 - spanguard WILL work, with a caveat 2 - MAC locking will always protect you against this, as the phone MAC and the Cisco switch MAC will appear on the port 1st, thus preventing any further traffic. The caveat is this; Cisco have spantree disabled by default, unlike Enterasys, and since you need a ccna to enable spantree on a Cisco box then chances are the switch in your cupboard won't have spantree running. Won't hurt to run spanguard however, and it's a good standard practice anyway. eg; Cisco 7960 phone is in port ge.1.5 D2(su)->show spantree spanguardlock Port ge.1.1 is Unlocked Port ge.1.2 is Unlocked Port ge.1.3 is Unlocked Port ge.1.4 is Unlocked Port ge.1.5 is Locked Port ge.1.6 is Unlocked Port ge.1.7 is Locked Port ge.1.8 is Unlocked Port ge.1.9 is Unlocked Port ge.1.10 is Unlocked Port ge.1.11 is Unlocked Port ge.1.12 is Unlocked Port lag.0.1 is Unlocked Port lag.0.2 is Unlocked Port lag.0.3 is Unlocked Port lag.0.4 is Unlocked Port lag.0.5 is Unlocked Port lag.0.6 is Unlocked D2(su)->show mac port ge.1.5 MAC Address FID Port Type ----------------- ---- ------------- -------- 00-0D-BC-04-9D-37 620 ge.1.5 Learned 00-0F-24-2D-2B-85 620 ge.1.5 Learned 00-0F-24-2D-2B-87 620 ge.1.5 Learned 00-0F-24-2D-2E-80 620 ge.1.5 Learned 00-0F-24-2D-2E-93 620 ge.1.5 Learned 00-0D-BC-04-9D-37 1000 ge.1.5 Learned Billo Data Communications Co-Ordinator Information Technology & Telecommunications Hunter New England Health Service ph 0249 213804 fax 0249 213038 [email protected]<mailto:[email protected]> From: Nick Allen [mailto:[email protected]] Sent: Wednesday, 9 March 2011 22:12 To: Enterasys Customer Mailing List Cc: Yoram Nissenbaum Subject: Re: [enterasys] Cross-connected switch... Thanks Yoram - Jason said the same thing, so I think we'll give that a go as it's a simple config change. I suppose then, the symptoms will still occur, but only for a maximum of 2 workstations plugged into the Cisco switch. Thanks to everyone who responded. Am aware that auth is best, but we haven't time to do that at the mo. Cheers, Nick. 2011/3/8 Yoram Nissenbaum <<mailto:[email protected]>[email protected]<mailto:[email protected]>> hi, Another easy way is to limit MAC "capacity" per port with the "Maclock" setting. Set the value of first arrival=(2 if you have Phone+PC or just 1). This way first MAC (or 2) is locked to the port dynamically. Traffic from any other MAC is dropped at the port. MAC to port mapping is reset when link is down. This way you minimize the impact of the scenario to described to ONE or NONE PC effected. Rdg. Yoram. -----הודעה מקורית----- מאת: William Olive [mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>] נשלח: ג 3/8/2011 23:06 אל: Enterasys Customer Mailing List נושא: RE: [enterasys] Cross-connected switch... Spanguard won't do it (otherwise Cisco phones would not work on C2s, which they obviously do). This is a tough one Nick. Policy is probably your best bet. Billo Data Communications Co-Ordinator Information Technology & Telecommunications Hunter New England Health Service ph 0249 213804 fax 0249 213038 <mailto:[email protected]>[email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> From: Nick Allen [mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>] Sent: Wednesday, 9 March 2011 02:55 To: Enterasys Customer Mailing List Cc: Read, Simon Subject: Re: [enterasys] Cross-connected switch... Ok - thanks Simon. Will look into that. Cheers, N. On 8 March 2011 14:31, Read, Simon <<mailto:[email protected]>[email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>>> wrote: Hi Nick, Spanguard lock would do it. Kind regards, Simon Read Service Engineer Nashua Communications (Pty) Ltd. Unit 10 Growthpoint Business Park, No 2 Tonnetti Street, Midrand, 1685 M: +27 84 676 9200 Fax: +27100012500 <mailto:[email protected]>[email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> <http://www.nashua-communications.com>www.nashua-communications.com<http://www.nashua-communications.com><<http://www.nashua-communications.com>http://www.nashua-communications.com> [<https://mail.google.com/mail/?ui=2&ik=285ad60f7c&view=att&th=12e960796c801397&attid=0.1&disp=emb&realattid=d6589c2bdb13_0.1&zw>https://mail.google.com/mail/?ui=2&ik=285ad60f7c&view=att&th=12e960796c801397&attid=0.1&disp=emb&realattid=d6589c2bdb13_0.1&zw] From: Nick Allen [mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>>] Sent: 08 March 2011 04:29 PM To: Enterasys Customer Mailing List Cc: Read, Simon Subject: Re: [enterasys] Cross-connected switch... Sorry - I should have been more verbose. What' I'd really like to happen is that the port would somehow detect that it's a rogue connection and shut off that port so that inter-connection can't happen in the first place. N. On 8 March 2011 14:19, Read, Simon <<mailto:[email protected]>[email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>>> wrote: Hi Nick, Use Policy to only allow DHCP from a specific server? Kind regards, Simon Read Service Engineer Nashua Communications (Pty) Ltd. Unit 10 Growthpoint Business Park, No 2 Tonnetti Street, Midrand, 1685 M: +27 84 676 9200 Fax: +27100012500 <mailto:[email protected]>[email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> <http://www.nashua-communications.com>www.nashua-communications.com<http://www.nashua-communications.com><<http://www.nashua-communications.com>http://www.nashua-communications.com> [<https://mail.google.com/mail/?ui=2&ik=285ad60f7c&view=att&th=12e960796c801397&attid=0.1&disp=emb&realattid=d6589c2bdb13_0.1&zw>https://mail.google.com/mail/?ui=2&ik=285ad60f7c&view=att&th=12e960796c801397&attid=0.1&disp=emb&realattid=d6589c2bdb13_0.1&zw] From: Nick Allen [mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>>] Sent: 08 March 2011 04:05 PM To: Enterasys Customer Mailing List Subject: [enterasys] Cross-connected switch... Hi, We have an office with an Enterasys C2G in it. Also in that office and in the same cabinet is a Cisco switch that belongs to another sister company. Devices plugged in the Cisco switch were getting IP address in the DHCP range that would normally be only available on the C2. We traced it with Compass to an IP phone with the passthrough port plugged into the Cisco switch instead of a workstation. What's the best way to prevent this happening from a config point of view on the Enterasys only (given that we don't have access to the Cisco). Thanks, Nick. C4-2C-03-29-E8-FE 10.113.11.1 -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. • --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> • Nashua Communications, exclusive provider of Siemens Enterprise Communications and Panasonic Telecommunications in Southern Africa. The information in this e-mail is confidential and is intended solely for the addressee. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution is strictly prohibited. Please inform the sender immediately and destroy the original. Nashua Communications and/or its subsidiaries accepts no liability of whatever nature for any loss, liability, damage or expense resulting directly or indirectly from access to this message and any files or links that are attached hereto. ________________________________________________________________________________________ Disclaimer and Confidentiality Note This e-mail communication, its attachments, if any, and any rights attaching to it are, unless the context clearly indicates otherwise, the property of Nashua Communications. It is confidential, private and intended for the addressee only. If you are not the intended recipient and receive this communication in error, you are hereby notified that any review, copying, use, discloser or distribution in any manner whatsoever is strictly prohibited. Please notify the sender immediately that you have received this e-mail in error and delete the e-mail and any copies of it. Views and opinions expressed in this e-mail are those of the sender unless clearly stated as those of Nashua communications. Nashua Communications accepts no liability for any loss or damage whatsoever, and howsoever incurred or suffered resulting or arising from the use of this e-mail communication and/or its attachments. Nashua Communications does not warrant the integrity of this e-mail communication nor that it is free of errors, viruses, interception or interference. · --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. • --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> • Nashua Communications, exclusive provider of Siemens Enterprise Communications and Panasonic Telecommunications in Southern Africa. The information in this e-mail is confidential and is intended solely for the addressee. If you have received this e-mail in error, you are hereby notified that any review, copying or distribution is strictly prohibited. Please inform the sender immediately and destroy the original. Nashua Communications and/or its subsidiaries accepts no liability of whatever nature for any loss, liability, damage or expense resulting directly or indirectly from access to this message and any files or links that are attached hereto. ________________________________________________________________________________________ Disclaimer and Confidentiality Note This e-mail communication, its attachments, if any, and any rights attaching to it are, unless the context clearly indicates otherwise, the property of Nashua Communications. It is confidential, private and intended for the addressee only. If you are not the intended recipient and receive this communication in error, you are hereby notified that any review, copying, use, discloser or distribution in any manner whatsoever is strictly prohibited. Please notify the sender immediately that you have received this e-mail in error and delete the e-mail and any copies of it. Views and opinions expressed in this e-mail are those of the sender unless clearly stated as those of Nashua communications. Nashua Communications accepts no liability for any loss or damage whatsoever, and howsoever incurred or suffered resulting or arising from the use of this e-mail communication and/or its attachments. Nashua Communications does not warrant the integrity of this e-mail communication nor that it is free of errors, viruses, interception or interference. · --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> -- Nick Allen IT Director [<http://10.111.1.10/directories/whoswho/code2_signature_templates/logos/tbwa-uk_group.gif>http://10.111.1.10/directories/whoswho/code2_signature_templates/logos/tbwa-uk_group.gif] 76-80 Whitfield Street London, W1T 4EZ Direct: +44 20 7573 6792 Mobile: +44 7970 121 609 Main: +44 20 7573 6500 Reg. Office: TBWA UK GROUP Ltd, address as above Company Reg. #: 4332188 (UK) Company VAT #: GB 656 8994 61 -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to <mailto:[email protected]> [email protected]<mailto:[email protected]> and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. · --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]><mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]> · --- To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]> -- Nick Allen IT Director [http://10.111.1.10/directories/whoswho/code2_signature_templates/logos/tbwa-uk_group.gif] 76-80 Whitfield Street London, W1T 4EZ Direct: +44 20 7573 6792 Mobile: +44 7970 121 609 Main: +44 20 7573 6500 Reg. Office: TBWA UK GROUP Ltd, address as above Company Reg. #: 4332188 (UK) Company VAT #: GB 656 8994 61 -- This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure. If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail is strictly prohibited. Please notify us immediately of the error via e-mail to [email protected]<mailto:[email protected]> and please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation. · --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys <mailto:[email protected]> [email protected]<mailto:[email protected]> · * --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
