Hi Kabeer
The short answer is, you can't if the end user knows what they are doing.
You can make it harder to do by using a combination of the following configurations:
- Port Security - limit the MAC addresses on a single interface
- BPDU Guard - look for BPDU packets generated by switches
- Disable trunk negotiation (switchport access)
- Use Network Access Control (NAC) to only permit corporate devices. This won't work if they do manage to get a switch or hub on.
- Use other features within your infrastructure which require corporate certificates on all devices to connect
None of these methods are foolproof but they will stop the casual connection of a switch. If you can limit the MAC address to 1 by port-security, even if a hub (or switch that isn't running spanning-tree) is connected, the switch port will only permit 1 device to transmit. It gets harder if you need to permit IP phones because you need to support at least 2 MAC addresses.
The only real way is to implement DHCP Snooping and ARP Inspection on your devices and manually create a DHCP reserved entry for every permitted device. Don't allow any dynamic pool. Not nice!
Or create a policy that says if anybody does it they will be fired immediately and without question and hope this does the trick.