Solved: Re: locate unmanaged switch

rajibchicago · ‎09-23-2009

I been tasked to locate unmanaged switches in our LAN. Our managed switches are 2950 & 2960. Is there any way to locate those unmanaged switches other than physically looking? :)

forumhealth · ‎09-23-2009

One way is to list the mac address table on the managed switches and look for ports with multiple mac addresses with are not links to other known switches. Then, using arp lookup and ping -a, you can find the ip address/dns names of the hosts connected to the unmanaged switches. If you have Ciscoworks, this is almost trivial with User Tracking. If you don't, there are switchport mapping utilities available, some free, which help automate the lookup process.

View solution in original post

forumhealth · ‎09-23-2009

One way is to list the mac address table on the managed switches and look for ports with multiple mac addresses with are not links to other known switches. Then, using arp lookup and ping -a, you can find the ip address/dns names of the hosts connected to the unmanaged switches. If you have Ciscoworks, this is almost trivial with User Tracking. If you don't, there are switchport mapping utilities available, some free, which help automate the lookup process.

Leo Laohoo · ‎09-23-2009

If you've tried all method, shut down the port where the unmanaged switch is connected to your 2950/2960 and wait for the calls to come in.

:/

rkenny1976 · ‎04-13-2021

Haha! That's about it too =))

Leo Laohoo · ‎09-23-2009

Thanks for the rating.

Giuseppe Larosa · ‎09-23-2009

Hello Rahijb,

use

spanning-tree bpduguard enable on all user ports (don't use it on ports to other legitimate switches)

as soon as BPDUs sent by unmanaged switches are detected on a port the port will be put in errordisable.

from sh log on devices you can find out where the unmanaged switches are connected.

This is the long term solution to make people stop to add unmanaged switches to the network.

We use it and it is effective, it doesn't work with hubs because they don't send STP BPDUs but also helps if users playing with cables connect two switch ports together (also this can happen...).

Advise users that they will not be able to connect unmanaged switches to the network.

Hope to help

Giuseppe

johnnylingo · ‎09-24-2009

Assuming the unmanaged switch is running STP, there's a very easy way:

#show spanning-tree vlan 1-4094 | inc STP

Boom! There's your list of ports running STP.

Alternately, you could also run "debug spanning-tree bpdu receive" and see which ports are receiving BPDUs.

Also is the unmanaged switch doing trunking? Use the "show int trunk" to find your active trunk ports.

rajibchicago · ‎09-24-2009

Not sure if the unmanaged switch / hub (dlink, netgear, no name brand) for home users runs stp or send bpdu.

I been doing switchport mapping and finding some ports with lot of MAC addresses and most cases those ports turn out to be connected to dlink, netgear or $10 no name brand switch (the worst). I wonder some times what people were thinking.

I want to thank you all for your help.

Giuseppe Larosa · ‎09-24-2009

Hello Rajib,

users don't realize the dangers of connecting these consumer switches. They may need additional switch ports instead of asking to IT group they put these devices.

We have seen that D-link and other consumer devices send BPDUs and for this reason STP bpduguard is effective.

Hope to help

Giuseppe

paul.matthews · ‎09-24-2009

Another vote here for BPDU-Guard. I'll add another suggestion that goes a little further. BPDU-Guard will only find switches. Just as important is locatin unauthorused hubs. The suggestion of tracking mac addresses is good, but can be a little tedious if you do not have nice management tools.

Configuring port security will get the users to tell you. On all user ports enable port security and allow only one MAC address.

switchport port-security

switchport port-security maximum 1

switchport port-security violation restrict

switchport port-security aging type inact

switchport port-security aging time 15

will restrict to one MAC address, and clear the table 15 mins after the last packet. That will be minimal work for you, but you should get a few calls "My PC does not work" which will tell you of a hub. If you want to be more aggressive, violation shutdown will take anything connected to the port offline!

johnnylingo · ‎09-25-2009

One note - just because there is more than one MAC address seen on a port doesn't necessarily mean a hub or switch is attached. The host might be doing Proxy Arp, for example running VMWare with a bridged host.

For this reason, I prefer to use bpdufilter or bpduguard along with rootguard.

As always, consider the options and take the one that's best for your environment.

paul.matthews · ‎09-28-2009

Indeed - this is where knowing your user base is good, however I would suspect the use of VMWare or similar in an average office is low.

One could always set the max addresses high on a port to begin with - say 16.

rajibchicago · ‎11-10-2009

Is there any way to configure switchport port-security in an automated way? I dont think it is efficient to configure 300 switches manually. So I am looking for an intelligent solution to cofigure all switches with port security excluding switch ports that are connected to other switches or cisco access point? I have not used ciscoworks, but i think we may have a license for ciscoworks (purchased by some one else, I was not involved in that project). Any other recommendation.