Re: Preventing users connecting hub, switches routers, access points

RBeugnies · ‎08-10-2018

Hi all, I’ve recently started managing a network for in a building that provides serviced offices and our tenant’s pay for each port they use. However our tenants often plug their own switches into our network to gain access to more ports, connect APs so they do not have to pay to use our WiFi (which causes channel interference)

I have considered port security (allow a maximum of 2 MAC addresses per port - 1 for VOIP) and subnetting to reduce amount of usable IP addresses. But this isn’t fall proof, for example if a tenant installs a router using NAT then unless I statically assign MAC addresses or use sticky MAC (which isn’t practical) they’ll get around the system.

Does anyone have any suggestions? I was looking at 802.1x but I think this will annoy tenants as they’ll need to authenticate every time they access the network. But my understanding of 802.1x is limited

tquick1018 · ‎08-10-2018

BPDU guard is your friend here for switches and hubs. When assigned to ports it prevents any rogue hubs or switches by disabling the port when they are plugged into your switch. But for the WAPS and routers your right to use port security.

Reza Sharifi · ‎08-10-2018

A hub is a layer-1 device and so, it does not participate in STP nor does it send BPDU.

HTH

tquick1018 · ‎08-10-2018

Ah yes you are correct. My bad that would also need port security.

paul driver · ‎08-10-2018

Hello

Along with the other suggestions, You may look into DHCP snooping with Ip source guard (IPSG) and dynamic arp inspection (DAI )

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul