Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3196
Views
0
Helpful
2
Replies

Prevent rogue switch in the network?

g.ska
Level 1
Level 1

‎12-12-2016 01:04 AM - edited ‎03-11-2019 12:17 AM

Hello everybody,

My question today:

Is there a way to authenticate a switch in the network? I'm looking for a solution to prevent rogue access switch. Is it possible to authenticate the switch itself? Via Cisco ISE, or other solutions?

For exemple:

if someone wants to connect a rogue access switch in the network in place of a "valid corporate switch" installed by IT team, I'd like the "upstream switch" automatically shutdown the port. (I don't talk about bpdugard because in this case it will not solved this kind of problem).

Do you have any idea to achieve this?

Thanks,

Greg.

Labels:
0 Helpful
2 Replies 2

Milos Megis
Level 3
Level 3

‎12-12-2016 01:28 AM

Hello,
some draft which could solve your problem, but I never implemented it.

Use dot1x authentication on switchport and some dynamic VLAN assignment.
So switchport will be in some isolated VLAN which doesn´t have routing to other parts of your network. And user must login to move port to specific VLAN.
So if user connect switch then it will be in isolated VLAN (from where he can get nowhere - it is not danger for your network) and when he would work then he must login and you have identified who is on that port.

Of course this suppose that nobody except IT staff has access to racks with your switches.

Maybe there is better solution. Try wait on other forum members. Maybe they advise something better.

One more solution: portsecurity with only one MAC address on port. So even somebody connect own switch, on your switch is allowed only one MAC address. So he could use only one port of own switch.

0 Helpful

Karsten Iwen
VIP
VIP
In response to Milos Megis

‎12-12-2016 01:57 AM

For your first suggestion, there is a dedicated feature for that: NEAT (Network Edge Authentication Topology) authenticates a device connected to the Access-Port with 802.1x. If it is a corporate switch, then a special config is applied to make that switch behave as expected. If it's a "normal" user/device, the port is configured for that role. For an unknown switch, the behavior depends on the possibility of that device to pass EAPoL frames.

0 Helpful
Customers Also Viewed These Support Documents