Hi all, I’ve recently started managing a network for in a building that provides serviced offices and our tenant’s pay for each port they use. However our tenants often plug their own switches into our network to gain access to more ports, connect APs so they do not have to pay to use our WiFi (which causes channel interference)
I have considered port security (allow a maximum of 2 MAC addresses per port - 1 for VOIP) and subnetting to reduce amount of usable IP addresses. But this isn’t fall proof, for example if a tenant installs a router using NAT then unless I statically assign MAC addresses or use sticky MAC (which isn’t practical) they’ll get around the system.
Does anyone have any suggestions? I was looking at 802.1x but I think this will annoy tenants as they’ll need to authenticate every time they access the network. But my understanding of 802.1x is limited
BPDU guard is your friend here for switches and hubs. When assigned to ports it prevents any rogue hubs or switches by disabling the port when they are plugged into your switch. But for the WAPS and routers your right to use port security.
Along with the other suggestions, You may look into DHCP snooping with Ip source guard (IPSG) and dynamic arp inspection (DAI )