BPDU Guard / Port Security

sysit

Hi all, I'm in the process of installing a couple of XGS1935-52HP switches (SW01 & SW02) using Nebula Control Centre, both connected directly to our router. The switches aren't connected directly to each other. I've enabled BPDU Guard on all the access ports on both switches, and then connected a managed Netgear switch into one of the access ports on SW02 - BPDU Guard didn't kick in and disable the access port. When creating a loop on the managed Netgear switch, LoopGuard kicked in and disabled the uplink port on SW01. The uplink ports on SW01 and SW02 have RSTP disabled and LoopGuard enabled.

Questions:

1. Why didn't BPDU guard disable the access port on SW01?
2. How do I prevent unauthorised switches from being connected to the network? I was looking at Port Security as a solution, but don't appear to be able to configure this without using Mac-based authentication.

Zyxel_Melen

Hi @sysit

Why didn't BPDU guard disable the access port on SW01?

BPDU is a control packet of spanning tree. If the BPDU guard doesn't disable the port, it could be because the connecting device didn't send BPDU packet.

Since you didn't mention the Netgear setting, please share if it enables spanning tree.

How do I prevent unauthorised switches from being connected to the network? I was looking at Port Security as a solution, but don't appear to be able to configure this without using Mac-based authentication.

The best one is the MAC authentication. The unauthorised switches might not all be managed switches, but also unmanaged switches. But the more important part is that the connecting device is under the unauthorised switches. Here is the FAQ to setup MAC authentication:

https://community.zyxel.com/en/discussion/16981/how-to-configure-mac-authentication-via-nebula-cloud-authentication-server-ncas-on-nebula-switch