[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 247
  • Last Modified:

Need help fooling a Cisco switch so it doesn't shut off my ports

Hello Experts,

At my workplace, we are given access to the main corporate network via network ports at our desks, that are connected back to Cisco switches.  I do not know the model etc, only that they are Cisco switches, and I don't have any level of access to them.

Separate from the corporate network, In my department, we have a few HP ProCurve 2510-48G switches and a couple Cisco 2960G switches that are trunked together.

When I connect from my corporate network port to any unmanaged (dumb) switch, the corporate Cisco detects it and shuts down the port.  I have to then call tech support to get them to re-activate it.

If I connect the corporate connection to the Cisco 2960G switch, the port shuts down (again).

However, when I connect the corporate network port to the HP ProCurve, the port does NOT shut off!

The corporate port stays alive and happy as long as the (HP) VLAN that it is on is not trunked to a Cisco.  In other words, even if the VLAN (call it 99) is trunked across all of my HP switches, the corporate port will stay active.  The moment I configure that VLAN to trunk over to the Cisco as well, the corporate port goes down.

Now, there's something about the HP ProCurve which is preventing the corporate network switch from detecting the HP as a switch.  How can I find out what it is and get my Cisco 2960G to mimic that behavior, so that when I connect or trunk to it, the corporate network port stays alive?

Thanks in advance!
0
waqqas31
Asked:
waqqas31
1 Solution
 
Dave HoweCommented:
I think it is likely to be the opposite.

Cisco switches have a specific setting (usually BPDUguard) which allow them to recognize when another cisco switch has been connected - this is used in conjunction with "portfast" to allow a port to come online immediately when hotplugged (instead of attempting to negotiate with the port to see if there is a switch there)

HP does not have this feature, so a cisco will not "see" a hp switch as a switch, although it may be confused why it sees more than one MAC address on the port.  You might want to investigate the bpdufilter option (available on most cisco switches) to prevent it sending these spanning tree specific packets and disabling the port.
0
 
SouljaCommented:
To add to DaveHowe's comment


The reason is because the HP switch must have Spanning Tree disabled, thus is it is not sending BPDU's, thus not causing the port to go into err-disable by BPDU Guard.
0
 
waqqas31Author Commented:
@DaveHowe,

Thank you for the info.  I am trying to read up about BPDUguard/filter now to see if they might be playing a role in this scenario.

@Soulja,

Actually, the HP's do have spanning-tree enabled, and so do the Cisco 2960G switches.

From the HP running-config I see:
....
spanning-tree
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
....

From the Cisco 2960G running-config I see:
....
spanning-tree mode pvst
spanning-tree extend system-id
....

Does that shed any light on the matter at hand?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
SouljaCommented:
If that be the case then the Cisco switch must not recognize the bpdu's coming from the HP switch. The cisco is running PVST which is Cisco proprietary. The HP is probably running stp or rstp.
0
 
team_netwkCommented:
Let me approach this from another angle:
When you connect the HP switch, do you have any clients connected to the HP switch?  Are they able to communicate with the corporate network?

This could also be a case of your company limiting the number of MACs a port can see.  Some companies limit the number of computers that can be connected to a port, and the policy can be to restrict or shutdown the port.

Example:
 interface FastEthernet0/6
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 switchport port-security maximum 5
 switchport port-security violation shutdown
 spanning-tree portfast

In this example, only 5 MAC addresses can communicate on the port.  If more than 5 MAC addresses attempt to communicate on the port, it's put into "err-disable" state.

The bad news is, if they are using port-security, not sure how to "fool" it.  Unless you NAT everything.  But I'd caution you, be mindful of your company's policies and the reprecutions.  Wouldn't be easier to ask them for assitance in what you're trying to accomplish?
0
 
waqqas31Author Commented:
@team_netwk:

Yes, when connecting the corporate network to the HP switch, I have been able to assign the same VLAN to multiple clients simultaneously, as well as daisy chain unmanaged switches, all without causing the source corporate port to shut down.  

We have tried NAT-ing, but it doesn't give us the same flexibility as with a not NAT-ed IP.

There's no worries about policies, etc.  Thanks for your concern, though :)

@Soulja:

On the Cisco 2960G ports that are trunking to the adjacent HP switch (in our linear topology), I tried enabling bpdufilter, expecting that this will prevent any BPDU packets from going outbound on those ports.  That did not work, however, and I'm still researching and trying to find a solution.

Are there any packets with BPDU information that can bypass the bpdufilter on those ports?  E.g. maybe traffic that's passing through the 2960G switch (and not "originating" from it) doesn't get the BPDU meta data filtered from it?  Just speculating at this point.

Our topology looks like this:

HP---HP---HP---...---HP---Cisco---fibre---Cisco---HP---HP---...---HP

I will post as soon as I make some headway.

Everyone's assistance is greatly appreciated.
0
 
waqqas31Author Commented:
This solution is on the right track, but I didn't have the resources to conduct a thorough test to see if it worked.  Thanks to everyone who contributed.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now