06-19-2017 07:29 PM - edited 03-08-2019 11:02 AM
Hi and good day,
Is anyone can guide me in how to prevent unwanted device (such as Hub, wireless router) from connect to the cisco switchport. Recently, I've found some user plugin their wireless router to our LAN port in office and because of that, the IP Address leased for client by DHCP server is almost full. Most of them are using two to three device connect to this wireless router. As for the security also this thing might caused a threat to our network infra. Currently we are using cisco catalyst 3750 for access switch (floor) and core switch 6513 as a backbone. Is anyone can help me solving this problem? Thank you in advance.
06-19-2017 08:02 PM
Hi Nick,
You can limit the number of MAC addresses that connect to each access port on the 3750 switches.
This way, only one device can connect to the network and if they plug a hub to the network, port security will shut down the port.
Here are the commands to use for each access port. This configuration assumes that PC/laptop direct connect to the network and there is no VoIP phones connected to the network.
switchport port-security maximum 1
switchport port-security violation restrict
switchport port-security
If you have phones connected to the network you would need to change the first line to 2 as below:
switchport port-security maximum 2
HTH
06-22-2017 10:45 AM
Reza,
Can't you also use BPDU Guard? However I think that only fights against another switch being plugged in.
06-22-2017 11:42 AM
What Reza described is probably the easiest way to restrict the devices that can connect to your 3750. A bit more stringent variation would be to use the sticky option (if supported). This option remembers the 1st MAC seen and won't allow another until you reset the port.
From a security perspective, you generally want a method to authenticate the device connecting to the port, but this is complex to set up.
06-23-2017 02:43 AM
Hi Nick
You can always deploy the RADIUS server, for example ACS, Windows NPS, freeradius etc...
With Radius server you can authenticate users/devices by certficate, login and password, MAC address of device.
Remember that a untrusted device on your network can be a great threat to your company.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide