Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
i need to find out a way to auto block/shutdown a switch port if some one attaches a Hub or Physical layer switch to EX2200/EX2300 switch.
Actually in our branch offices, staff has a practice of connecting more PC's connecting Hub in the switch port, which creates problems by introducing broadcast and congestion in the network rendering slow performance complaints of the APPLICATION. So i am curious if there is a way to configure the Switch (EX2200/2300) to auto shut the port whenever HUBs are connected and may generate alert to notify the Network Administrator.
For illegally connected switches sending BPDU, you can enable BPDU-Blocking, shut down port and get syslog when receiving any BPDU
else you can use MAC-limit and limit the number of seen mac adresses to 1 or 2 ( if phones are connected in serial manner) and shut down the port and get syslog on violation.
I think BPDU blocking works in case Layer-2 switch is connected . In case of HUBs which dont send BPDU messages, the only way is to allow 1 MAC per port.
There is no simple solution for all use cases: L2 switch with STP enabled, L2 switch with STP disabled, hub, or a small router with built-in Wifi AP (like this one https://www.amazon.com/TP-Link-Wireless-Portable-Travel-Router/dp/B00TQEX8BO )
The most secure solution is to use 802.1X port authentication - it requires a RADIUS server + compatible clients
EX model support for 802.1X feature is described here https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFName=802.1X%20authentication%20port-based%20network%20access%20control%20(PNAC) .