Is there a way to detect unmanaged switches that are connected on access ports?
In a spanning tree trunking managed network I look at bpdu errors on ports which usually indicate an unmanaged switch as a PC should not sent these.
I also look at logs that indicate that a switch is running low on resources as a loops can overload the CPU if it's not detected.
Do you know of any other or better ways?
I am primarily interested in solutions that work with Cisco and Juniper but a vendor agnostic approach would be also welcome.
I am asking as access ports use two vlans (data and voice) and any frames sent through unmanaged switches lose the voice vlan tag which causes problems with the phones.
Best Answer
Preventing Unmanaged Switches and Loops:
The best solution would be to block unmanaged switches entirely, except those that you explicitly allow. This can be done by enabling bpduguard on access ports, which would disable any port that receives a bpdu packet.
Example:
If there are unmanaged switches on your network that you would like to keep but protect STP and prevent loops you could enable a feature called root guard. This would allow that port to still receive bpdu packets, but it would not forward those that try to alter STP.
Example:
Limit the number of MAC addresses or whitelist MAC addresses on switch ports.
Example:
Detecting Unmanaged Switches:
Method 1: View the MAC address table, if you see multiple machines connecting on a single port, that is a pretty good indication that their is a switch connected to that port.
Method 2: Look for ports running STP
Example:
Method 3: Using Cisco Debug to see which ports are receiving bpdu's
Example: