Need help fooling a Cisco switch so it doesn't shut off my ports

Posted on 2011-10-21
Last Modified: 2012-06-27
Hello Experts,

At my workplace, we are given access to the main corporate network via network ports at our desks, that are connected back to Cisco switches.  I do not know the model etc, only that they are Cisco switches, and I don't have any level of access to them.

Separate from the corporate network, In my department, we have a few HP ProCurve 2510-48G switches and a couple Cisco 2960G switches that are trunked together.

When I connect from my corporate network port to any unmanaged (dumb) switch, the corporate Cisco detects it and shuts down the port.  I have to then call tech support to get them to re-activate it.

If I connect the corporate connection to the Cisco 2960G switch, the port shuts down (again).

However, when I connect the corporate network port to the HP ProCurve, the port does NOT shut off!

The corporate port stays alive and happy as long as the (HP) VLAN that it is on is not trunked to a Cisco.  In other words, even if the VLAN (call it 99) is trunked across all of my HP switches, the corporate port will stay active.  The moment I configure that VLAN to trunk over to the Cisco as well, the corporate port goes down.

Now, there's something about the HP ProCurve which is preventing the corporate network switch from detecting the HP as a switch.  How can I find out what it is and get my Cisco 2960G to mimic that behavior, so that when I connect or trunk to it, the corporate network port stays alive?

Thanks in advance!
Question by:waqqas31
    LVL 33

    Expert Comment

    by:Dave Howe
    I think it is likely to be the opposite.

    Cisco switches have a specific setting (usually BPDUguard) which allow them to recognize when another cisco switch has been connected - this is used in conjunction with "portfast" to allow a port to come online immediately when hotplugged (instead of attempting to negotiate with the port to see if there is a switch there)

    HP does not have this feature, so a cisco will not "see" a hp switch as a switch, although it may be confused why it sees more than one MAC address on the port.  You might want to investigate the bpdufilter option (available on most cisco switches) to prevent it sending these spanning tree specific packets and disabling the port.
    LVL 26

    Expert Comment

    To add to DaveHowe's comment

    The reason is because the HP switch must have Spanning Tree disabled, thus is it is not sending BPDU's, thus not causing the port to go into err-disable by BPDU Guard.

    Author Comment


    Thank you for the info.  I am trying to read up about BPDUguard/filter now to see if they might be playing a role in this scenario.


    Actually, the HP's do have spanning-tree enabled, and so do the Cisco 2960G switches.

    From the HP running-config I see:
    spanning-tree Trk1 priority 4
    spanning-tree Trk2 priority 4

    From the Cisco 2960G running-config I see:
    spanning-tree mode pvst
    spanning-tree extend system-id

    Does that shed any light on the matter at hand?
    LVL 26

    Accepted Solution

    If that be the case then the Cisco switch must not recognize the bpdu's coming from the HP switch. The cisco is running PVST which is Cisco proprietary. The HP is probably running stp or rstp.

    Expert Comment

    Let me approach this from another angle:
    When you connect the HP switch, do you have any clients connected to the HP switch?  Are they able to communicate with the corporate network?

    This could also be a case of your company limiting the number of MACs a port can see.  Some companies limit the number of computers that can be connected to a port, and the policy can be to restrict or shutdown the port.

     interface FastEthernet0/6
     switchport access vlan 100
     switchport mode access
     switchport nonegotiate
     switchport port-security maximum 5
     switchport port-security violation shutdown
     spanning-tree portfast

    In this example, only 5 MAC addresses can communicate on the port.  If more than 5 MAC addresses attempt to communicate on the port, it's put into "err-disable" state.

    The bad news is, if they are using port-security, not sure how to "fool" it.  Unless you NAT everything.  But I'd caution you, be mindful of your company's policies and the reprecutions.  Wouldn't be easier to ask them for assitance in what you're trying to accomplish?

    Author Comment


    Yes, when connecting the corporate network to the HP switch, I have been able to assign the same VLAN to multiple clients simultaneously, as well as daisy chain unmanaged switches, all without causing the source corporate port to shut down.  

    We have tried NAT-ing, but it doesn't give us the same flexibility as with a not NAT-ed IP.

    There's no worries about policies, etc.  Thanks for your concern, though :)


    On the Cisco 2960G ports that are trunking to the adjacent HP switch (in our linear topology), I tried enabling bpdufilter, expecting that this will prevent any BPDU packets from going outbound on those ports.  That did not work, however, and I'm still researching and trying to find a solution.

    Are there any packets with BPDU information that can bypass the bpdufilter on those ports?  E.g. maybe traffic that's passing through the 2960G switch (and not "originating" from it) doesn't get the BPDU meta data filtered from it?  Just speculating at this point.

    Our topology looks like this:


    I will post as soon as I make some headway.

    Everyone's assistance is greatly appreciated.

    Author Closing Comment

    This solution is on the right track, but I didn't have the resources to conduct a thorough test to see if it worked.  Thanks to everyone who contributed.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    Read about achieving the basic levels of HRIS security in the workplace.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now