Span Guard Extreme Network

We will talk about how to close a security vulnerability in network network systems by taking Span Guard measures on Extreme network switches. This vulnerability is a problem that many IT experts and Network Administrators face.

It is considered as a backdoor opening of the network to insecure environments as a result of the installation of a device that does not belong to the network topology such as a modem, Access Point, Hub or Switch. This vulnerability can occur frequently for malicious or innocent reasons.

Extreme Network Port Security

It is possible to avoid this vulnerability with a few very simple measures in the extreme network. The topology that triggers this vulnerability is more or less as follows.

You can see a hub and a switch added to this topology. We will prevent the vulnerability with the“Span Guard” configuration.

When a switch or a device that can distribute in the network is installed in the network without your knowledge, that interface will be disable by Span Guard service.

In addition to the Span Guard configuration, a solution can also be provided with the Maclock feature. MacLock command determines how many different mac addresses will be communicated over the interface. It can take values between 1-4000.

Extreme Switch Span Guard Configuration:

set spantree adminedge ge.1.1-21 true

set spantree spanguard enable

This prevents the installation of a device without your knowledge. The ports become edge-ports and communicate only with Ethernet interfaces. This way you block all non-ethernet devices.

Attention: Uplink Interface

Finally, do not forget to exclude the Uplink interface ports when running the Spantree command. If you run – Spantree – Spanguard on the uplink interface, the communication with the farm switch will stop completely.