Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1285
Views
10
Helpful
4
Replies

Preventing users connecting hub, switches routers, access points

RBeugnies
Level 1
Level 1

‎08-10-2018 09:48 AM - edited ‎03-08-2019 03:52 PM

Hi all, I’ve recently started managing a network for in a building that provides serviced offices and our tenant’s pay for each port they use. However our tenants often plug their own switches into our network to gain access to more ports, connect APs so they do not have to pay to use our WiFi (which causes channel interference) 

 

I have considered port security (allow a maximum of 2 MAC addresses per port - 1 for VOIP) and subnetting to reduce amount of usable IP addresses. But this isn’t fall proof, for example if a tenant installs a router using NAT then unless I statically assign MAC addresses or use sticky MAC (which isn’t practical) they’ll get around the system. 

 

Does anyone have any suggestions? I was looking at 802.1x but I think this will annoy tenants as they’ll need to authenticate every time they access the network. But my understanding of 802.1x is limited 

 

 

Labels:
0 Helpful
4 Replies 4

tquick1018
Level 1
Level 1

‎08-10-2018 10:51 AM - edited ‎08-10-2018 10:55 AM

BPDU guard is your friend here for switches and hubs.  When assigned to ports it prevents any rogue hubs or switches by disabling the port when they are plugged into your switch.  But for the WAPS and routers your right to use port security.

Reza Sharifi
Hall of Fame
Hall of Fame
In response to tquick1018

‎08-10-2018 11:19 AM

A hub is a layer-1 device and so, it does not participate in STP nor does it send BPDU.

HTH

0 Helpful

tquick1018
Level 1
Level 1
In response to Reza Sharifi

‎08-10-2018 11:28 AM

Ah yes you are correct.  My bad that would also need port security.

0 Helpful

paul driver
VIP
VIP

‎08-10-2018 12:22 PM

Hello

Along with the other suggestions, You may look into DHCP snooping with Ip source guard (IPSG) and dynamic arp inspection  (DAI )


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card