cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17302
Views
21
Helpful
12
Replies

locate unmanaged switch

rajibchicago
Level 1
Level 1

I been tasked to locate unmanaged switches in our LAN. Our managed switches are 2950 & 2960. Is there any way to locate those unmanaged switches other than physically looking? :)

1 Accepted Solution

Accepted Solutions

forumhealth
Level 1
Level 1

One way is to list the mac address table on the managed switches and look for ports with multiple mac addresses with are not links to other known switches. Then, using arp lookup and ping -a, you can find the ip address/dns names of the hosts connected to the unmanaged switches. If you have Ciscoworks, this is almost trivial with User Tracking. If you don't, there are switchport mapping utilities available, some free, which help automate the lookup process.

View solution in original post

12 Replies 12

forumhealth
Level 1
Level 1

One way is to list the mac address table on the managed switches and look for ports with multiple mac addresses with are not links to other known switches. Then, using arp lookup and ping -a, you can find the ip address/dns names of the hosts connected to the unmanaged switches. If you have Ciscoworks, this is almost trivial with User Tracking. If you don't, there are switchport mapping utilities available, some free, which help automate the lookup process.

Leo Laohoo
Hall of Fame
Hall of Fame

If you've tried all method, shut down the port where the unmanaged switch is connected to your 2950/2960 and wait for the calls to come in.

:/

Haha! That's about it too =))

Leo Laohoo
Hall of Fame
Hall of Fame

Thanks for the rating.

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Rahijb,

use

spanning-tree bpduguard enable on all user ports (don't use it on ports to other legitimate switches)

as soon as BPDUs sent by unmanaged switches are detected on a port the port will be put in errordisable.

from sh log on devices you can find out where the unmanaged switches are connected.

This is the long term solution to make people stop to add unmanaged switches to the network.

We use it and it is effective, it doesn't work with hubs because they don't send STP BPDUs but also helps if users playing with cables connect two switch ports together (also this can happen...).

Advise users that they will not be able to connect unmanaged switches to the network.

Hope to help

Giuseppe

Assuming the unmanaged switch is running STP, there's a very easy way:

#show spanning-tree vlan 1-4094 | inc STP

Boom! There's your list of ports running STP.

Alternately, you could also run "debug spanning-tree bpdu receive" and see which ports are receiving BPDUs.

Also is the unmanaged switch doing trunking? Use the "show int trunk" to find your active trunk ports.

Not sure if the unmanaged switch / hub (dlink, netgear, no name brand) for home users runs stp or send bpdu.

I been doing switchport mapping and finding some ports with lot of MAC addresses and most cases those ports turn out to be connected to dlink, netgear or $10 no name brand switch (the worst). I wonder some times what people were thinking.

I want to thank you all for your help.

Hello Rajib,

users don't realize the dangers of connecting these consumer switches. They may need additional switch ports instead of asking to IT group they put these devices.

We have seen that D-link and other consumer devices send BPDUs and for this reason STP bpduguard is effective.

Hope to help

Giuseppe

paul.matthews
Level 5
Level 5

Another vote here for BPDU-Guard. I'll add another suggestion that goes a little further. BPDU-Guard will only find switches. Just as important is locatin unauthorused hubs. The suggestion of tracking mac addresses is good, but can be a little tedious if you do not have nice management tools.

Configuring port security will get the users to tell you. On all user ports enable port security and allow only one MAC address.

switchport port-security

switchport port-security maximum 1

switchport port-security violation restrict

switchport port-security aging type inact

switchport port-security aging time 15

will restrict to one MAC address, and clear the table 15 mins after the last packet. That will be minimal work for you, but you should get a few calls "My PC does not work" which will tell you of a hub. If you want to be more aggressive, violation shutdown will take anything connected to the port offline!

One note - just because there is more than one MAC address seen on a port doesn't necessarily mean a hub or switch is attached. The host might be doing Proxy Arp, for example running VMWare with a bridged host.

For this reason, I prefer to use bpdufilter or bpduguard along with rootguard.

As always, consider the options and take the one that's best for your environment.

Indeed - this is where knowing your user base is good, however I would suspect the use of VMWare or similar in an average office is low.

One could always set the max addresses high on a port to begin with - say 16.

Is there any way to configure switchport port-security in an automated way? I dont think it is efficient to configure 300 switches manually. So I am looking for an intelligent solution to cofigure all switches with port security excluding switch ports that are connected to other switches or cisco access point? I have not used ciscoworks, but i think we may have a license for ciscoworks (purchased by some one else, I was not involved in that project). Any other recommendation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco