Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2267
Views
0
Helpful
3
Replies

Rogue Hub/Switch blocking?

Go to solution
brett1042002
Level 1
Level 1

‎09-06-2012 07:15 AM

Hello,

I've noticed MAC addresses with a 0000.0000.0000 on some of our switch ports in a particular building.  It turns out some end-users were plugging in personal/unauthorized hubs and/or cheap 5-port switches into our network on those interfaces.  We manually disabled the ports, then sure enough the end-users called the helpdesk informing us they lost network connectivity. 

Portfast and BPDU guard is enabled all edge devices.  However, since these are cheap hubs and switches I don't think they are even doing STP.  So having BPDU guard err-disable the port isn't our fix.

So, is there another way to block these devices?  ACL?  MAC filtering?  Can you just block MAC 0000.0000.0000?  Maybe someone can explain what MAC 0000.0000.0000 means?

I'm aware of port security, and that is in the works currently, but was hoping for a quick fix in the meantime.

Thanks!

-Brett

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎09-06-2012 08:36 AM

Depending what kind of switch you have, you may have dynamic arp inspection, where you register only trust mac on the switch database and the switch will discard any other mac connecting. Port security is another option, allow a max of 1 mac on the port, but the problem will persist that if connect a hub + computers, the port will get shut down and you have to reactive the suspended port each time.

Here is also a good post to review for an ACL

https://supportforums.cisco.com/message/3727181#3727181

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎09-06-2012 08:36 AM

Depending what kind of switch you have, you may have dynamic arp inspection, where you register only trust mac on the switch database and the switch will discard any other mac connecting. Port security is another option, allow a max of 1 mac on the port, but the problem will persist that if connect a hub + computers, the port will get shut down and you have to reactive the suspended port each time.

Here is also a good post to review for an ACL

https://supportforums.cisco.com/message/3727181#3727181

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
brett1042002
Level 1
Level 1
In response to Tom Watts

‎09-06-2012 08:51 AM

Ah, I will look into dynamic arp inspection.  Thanks!

Yea, we are currently testing/implementing port security, sticky MAC, and 802.1x for workstation authentication. 

0 Helpful

Go to solution
brett1042002
Level 1
Level 1
In response to Tom Watts

‎09-06-2012 09:36 AM

Tom,

I was reading that link on class-maps.  Does that only apply to individual interfaces on the switch?  Would a class-map work in my scenario?

class-map MACDENIED

match source-address mac xxxx.xxxx.xxxx

policy-map MACDENIED

class MACDENIED

drop

interface x/x

service-policy input MACDENIED

0 Helpful
Customers Also Viewed These Support Documents