Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1647
Views
0
Helpful
4
Replies

HUB Detection on a Cisco LAN

Go to solution
fabiogalini
Level 1
Level 1

‎04-05-2013 09:22 AM - edited ‎03-07-2019 12:40 PM

Hello Folks,

I've been chalenged by several HUBs (or SOHO switches) unauthorized connected to our LAN. Besides the treat of a L2 loop on the environment, that issue also involves a finnacial matter to my company, since all the billing process is based on switchport utilization. So the more non compliant devices I have connected to the network the less $$$ we can charge from the customer.

Already tried 2 features to fix the issue: Port Security and Port-fast BPDU Guard. None of them have proven a good solution for me. Issues below:

Port Security: Administrative overhead.

BPDU Guard: HUBs doesn't send BPDUs. Tried some tests with a few models os SOHO Switches (3com, Linksys, Encore, etc) and i also didn't see any BPDU packets comming to my cisco gears (debug spanning-tree bpdu receive)

Do you people have any recommendations for a good approach on this?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gregory Snipes
Level 4
Level 4

‎04-05-2013 12:28 PM

I used to use port security for this exact purpose. Here is what you do:

Global:

errdisable recovery cause psecure-violation

errdisable recovery interval 30

On the interfaces:

switchport port-security aging type inactivity

switchport port-security violation shutdown

switchport port-security maximum 1

This will cause any port with a hub on it (and more then one device connected) to errordisable, then every 30 seconds the port will try to re-enable itself automatically. If the hub is still there, it goes back down, if not it is back online. Also, the "aging type inactivity" will mean that if people unplug their equipment and move, you will not have to manually intervene.

I used this configuration for years, It was very effective and even on a 10,000 user LAN needed suprisingly little manual administration. People will call you and tell you where the hubs are because they are not working.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎04-05-2013 11:28 AM

My recommendation is that the optimum solution is port security. It is designed and intended to limit the number of MAC addresses on an interface and it seems to me that this is exactly what you need.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
mikegrous
Level 3
Level 3
In response to Richard Burts

‎04-05-2013 12:11 PM

I agree with Rick. I see no way around this besides Port Security.

0 Helpful

Go to solution
Gregory Snipes
Level 4
Level 4

‎04-05-2013 12:28 PM

I used to use port security for this exact purpose. Here is what you do:

Global:

errdisable recovery cause psecure-violation

errdisable recovery interval 30

On the interfaces:

switchport port-security aging type inactivity

switchport port-security violation shutdown

switchport port-security maximum 1

This will cause any port with a hub on it (and more then one device connected) to errordisable, then every 30 seconds the port will try to re-enable itself automatically. If the hub is still there, it goes back down, if not it is back online. Also, the "aging type inactivity" will mean that if people unplug their equipment and move, you will not have to manually intervene.

I used this configuration for years, It was very effective and even on a 10,000 user LAN needed suprisingly little manual administration. People will call you and tell you where the hubs are because they are not working.

0 Helpful

Go to solution
Gregory Snipes
Level 4
Level 4
In response to Gregory Snipes

‎04-05-2013 12:46 PM

Oh, also you should use BPDU guard as well, in case you get some smart guy who thinks he is going to get twice as much Internets if he plugs his computer into a hub and plugs the hub into two LAN drops.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card