Blocking Downstream User Hubs/Switches

S

SKiTLz

2[H]4U
Joined
Aug 3, 2003
Messages
2,664
We use a couple of 2910al ProCurves for our core switching/routing then we have a few 2626 access switches.

Despite allocating adequate ports in our new building, I'm still having a problem with users plugging in shitty little D-Link 5 port hubs at there desk.

Looking for some suggestions on the best way to block this? I'm guessing I'm going to have to only allow the mac's of approved workstations? Which sounds like a management nightmare.
 
SKiTLz said:
We use a couple of 2910al ProCurves for our core switching/routing then we have a few 2626 access switches.

Despite allocating adequate ports in our new building, I'm still having a problem with users plugging in shitty little D-Link 5 port hubs at there desk.

Looking for some suggestions on the best way to block this? I'm guessing I'm going to have to only allow the mac's of approved workstations? Which sounds like a management nightmare.
Click to expand...

are they plugging in the little switches to add more devices like their own personal laptops and other devices ?
 
Port security. Lock them down to one mac address, sticky it and call it a day. Then set the violation policy to shutdown the port when the switch sees a second mac.

Had a couple cops shutdown half the ports in a PD over the weekend once. Was awesome.
 
Thanks for the suggestions.

I've never used port security. Is it a manually controlled mac list? Or can you set it up it basically allow all current mac's then deny all future?
 
Just took a quick read of the HP documentation. Seems pretty simple.

I think the best bet for our environment will be to not maintain a MAC approved list but rather limit each workstation port to 1 mac address at a time. That way I don't have to manage the approved list and it will log an event/disable them if they attempt to throw a switch in for additional devices.
 
Have you tried telling them to stop? Do you have an ASU in place they have to sign?
 
If you can find out who it is just use that custom jobbie that made their webpages upside down or go to a donkey pr0n site.
 
SKiTLz said:
Just took a quick read of the HP documentation. Seems pretty simple.

I think the best bet for our environment will be to not maintain a MAC approved list but rather limit each workstation port to 1 mac address at a time. That way I don't have to manage the approved list and it will log an event/disable them if they attempt to throw a switch in for additional devices.
Click to expand...
You can do a manual list, but what I've generally done in the past is to allow the first mac address I see, then disable the port on violation ( ie: more than that mac address comes across ). I believe it's called sticky-mac or something.

True, this does require admin intervention to reenable the port and clear the error. But then the first mac it sees after that it will remember. Pretty easy to maintain.
 
XOR != OR said:
You can do a manual list, but what I've generally done in the past is to allow the first mac address I see, then disable the port on violation ( ie: more than that mac address comes across ). I believe it's called sticky-mac or something.

True, this does require admin intervention to reenable the port and clear the error. But then the first mac it sees after that it will remember. Pretty easy to maintain.
Click to expand...

That is exactly what I did.. used learn-mode sticky for 1 mac address.

First networking change I've made in awhile that didn't take half the bloody day to implement. Nice change.
 
SKiTLz said:
That is exactly what I did.. used learn-mode sticky for 1 mac address.

First networking change I've made in awhile that didn't take half the bloody day to implement. Nice change.
Click to expand...
Can't argue with Cisco or HP switches, they are damn nice.
 
XOR != OR said:
Can't argue with Cisco or HP switches, they are damn nice.
Click to expand...

I really like that the CLI between them is relatively close too.. The conly thing Cisco does that really pisses me off is have so many differences from their ASA syntax to IOS. Just baffles me why they do it.
 
Port security or NAC is the way to go , just be aware things like virtual machines etc also set it off. (thank god , ever seen a developer put a sniffer in your network that was mis configured ?!)
 
With Ciso, you can set port security to "restrict". This will simply drop the traffic that isn't authorized rather than disabling the port. I don't know if your HP's are capable of this setting.

Also, be aware that with sticky-mac, if the customer has access to the switch, all they have to do is reboot it for the switch to accept a new MAC unless you write the configuration after the first device was learned.
 
SKiTLz said:
I really like that the CLI between them is relatively close too.. The conly thing Cisco does that really pisses me off is have so many differences from their ASA syntax to IOS. Just baffles me why they do it.
Click to expand...
I pretend the ASAs don't exist. :D I'll use the ADSM when I work on mine, but other than that....

Switches and routers are the only thing from cisco I like, and I like HP switches better ( and they're cheaper ).
 
You must log in or register to reply here.
Back
Top