cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
2265
Views
0
Helpful
4
Replies
Nick Sophea
Beginner

Prevent Unwanted Device (Hub, Wireless Router) Connect To Cisco Switchport

Hi and good day,

Is anyone can guide me in how to prevent unwanted device (such as Hub, wireless router) from connect to the cisco switchport. Recently, I've found some user plugin their wireless router to our LAN port in office and because of that, the IP Address leased for client by DHCP server is almost full. Most of them are using two to three device connect to this wireless router. As for the security also this thing might caused a threat to our network infra. Currently we are using cisco catalyst 3750 for access switch (floor) and core switch 6513 as a backbone. Is anyone can help me solving this problem? Thank you in advance.

4 REPLIES 4
Reza Sharifi
Hall of Fame Expert

Hi Nick,

You can limit the number of MAC addresses that connect to each access port on the 3750 switches.

This way, only one device can connect to the network and if they plug a hub to the network, port security will shut down the port.

Here are the commands to use for each access port. This configuration assumes that PC/laptop direct connect to the network and there is no VoIP phones connected to the network. 

switchport port-security maximum 1
switchport port-security violation restrict
switchport port-security

If you have phones connected to the network you would need to change the first line to 2 as below:

switchport port-security maximum 2

HTH

Reza,

Can't you also use BPDU Guard? However I think that only fights against another switch being plugged in.

What Reza described is probably the easiest way to restrict the devices that can connect to your 3750.  A bit more stringent variation would be to use the sticky option (if supported).  This option remembers the 1st MAC seen and won't allow another until you reset the port.

From a security perspective, you generally want a method to authenticate the device connecting to the port, but this is complex to set up.

Hi Nick

You can always deploy the RADIUS server, for example ACS, Windows NPS, freeradius etc...

With Radius server you can authenticate users/devices by certficate, login and password, MAC address of device.

Remember that a untrusted device on your network can be a great threat to your company.

Regards