Re: Switching Issue

Mohamed Kabeer S · ‎10-10-2017

Dear Team,

I am kabeer working as a Network and Security Engineer, I have one quick question we have several warehouses and we have provided LAN and wireless connection to the users. In case if any of the users bring their own unmanaged switch and connected to my network to extend the connection to their personal devices. How we can detect these kind of activities? Please advice.

Regards,

Kabeer

lpassmore · ‎10-10-2017

Hi Kabeer

The short answer is, you can't if the end user knows what they are doing.

You can make it harder to do by using a combination of the following configurations:

Port Security - limit the MAC addresses on a single interface
BPDU Guard - look for BPDU packets generated by switches
Disable trunk negotiation (switchport access)
Use Network Access Control (NAC) to only permit corporate devices. This won't work if they do manage to get a switch or hub on.
Use other features within your infrastructure which require corporate certificates on all devices to connect

None of these methods are foolproof but they will stop the casual connection of a switch. If you can limit the MAC address to 1 by port-security, even if a hub (or switch that isn't running spanning-tree) is connected, the switch port will only permit 1 device to transmit. It gets harder if you need to permit IP phones because you need to support at least 2 MAC addresses.

The only real way is to implement DHCP Snooping and ARP Inspection on your devices and manually create a DHCP reserved entry for every permitted device. Don't allow any dynamic pool. Not nice!

Or create a policy that says if anybody does it they will be fired immediately and without question and hope this does the trick.