Guarding against rogue devices on network

My bad! We are fully a windows based environment. DC - Win2003svr / OS - WinXP.  

I was reading the cisco article on port security and it looks great.  I'm open to exploring that as one possibility.  The only potential drawback is that I would have to get a tally as to how many small standalone unmanaged switches are plugged up at folks desks.  

My organization has 3 floors in the building. The office internet gateway for all three levels resides on this 2nd floor. We're running on a T3 line plugged into a Cisco 2811 router.  This is connected to a Linksys SRW2048 (48 port) managed gigabit switch which is plugged into another Linksys SRW2048 switch. Static ips have been assigned to both of em to allow for access to web interface management console.  Altogether they are combined to control 96 nodes on 2nd floor.  One of the fiber ports on main switch connects the 3rd floor (2 Linksys switches up there) and another one connects the 9th floor (2 switches up there).  

 I will use our 2nd floor setup to illustrate what I mean when saying this could be a problem:

Each Linksys switch port is plugged into patch panel on wall which corresponds with either user desktop location or networked peripheral (printer/copier/scanner). Technically I know that I can control network traffic through either switch web interface (if ports are correctly labeled - which is another story in itself)  thereby disabling xyz port and in turn cutting off network access. The thing is that some folks have little 4/5/8port switches at their desks plugged into wall port allowing for multiple devices.  This was necessary because of various reasons: they use laptop and desktop; printer is close by and due to initial design flaw there weren't enough wall ports so was easier to plug up switch and have both desktop and printer share; etc.  

My confusion is based on this paragraph in cisco article -

"switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addressesone for each device. The maximum number of secure MAC addresses per port is 132."

If 17 users are printing to PRINTER A which is plugged into a small 5port gigabit switch  ...which is connected to network via wall (patch panel) port 3... which is connected to MAIN switch port 4 then how could I control the data flow through the standalone switches if multiple devices are using them?

I don't want to tell the Linksys switch to limit mac addresses and then get flooded with calls of "i can't print" or "why can't i connect?".  At the same time I still need to restrict outside access.  Big quandry right there. So while the article sounds like its headed in proper direction there is still uncertainty as to best way to do it.  This isn't the only thing consuming my thoughts either...

I still have to find the best way to create new dhcp ranges that would apply only to printers and desktops. Currently we have one dhcp server issuing ips in 192.168.xx.xx range but growing so fast that we need more.  My initial thought is to have devices (wireless routers, printers, etc)  subset maintain the 192.168.xx.xx range and change users over to 10.10.xx.xx range.  

Keep the ideas flowing! I'm really swamped and want to focus properly in order to do best possible job. Thanks a million!

You guys are doing your thing on here! Can't wait to test dhcploc and see how it goes.  I still need to create another 3 dhcp scopes for users and peripherals though. Ideas?

Fantastic!

Create clear and separate scopes, separated into different categories and sections.  For example, one scope for users, one scope for peripherals, etc.  In the end you want something where you can look at an IP address and go "That belongs to a user in this segment."  Also make sure to have addresses to spare to allow for expansion, so you don't have to remake the scopes every time a new workstation comes into play.

Maeros, do you know of a dhcp guide that can walk me through the setup? I'm positive that its not as complicated as I am mentally building it up ... but definitely feeling a bit of paranoia in setting this up. I don't want anyone to incur any downtime on account of my trial and error.  Thanx!

When considering expansion potential, take a look at what the plans are for the next year or so in terms of new employees and/or workstations, servers, devices, and so forth, and factor spare address space for them.  On top of that, add a few more spaces for breathing room.

Depending on how you have your private address space subnetted and the size/scale of your business, it is fairly common (and visually easy to work with) to divide space for workstations, network devices, and such on the third octet (x.x.X.x - first.second.THIRD.fourth).  As an example you may have 192.168.1.n for one office, 192.168.2.n for another office and so forth.  That way when you look at it you can go "The 1's are for head office clients, the 2's are for remote VPN users, etc.  There are many ways you can organize it (the example is just one basic example among many).  This all really depends on your topology, how things are laid out, how things current work, and so on.  Some like to have everything in one office, servers, network devices, and all under one range and other offices with their nodes under others... it's up to you.

Briancassin:  Unfortunately that url only details adding one basic scope. I need to know about creating a superscope  that would allow me to possibly create atleast 2 controllable ranges (users/devices).  Right now I'm only using one (192.168.xx.xx) and want to add another internet ready scope.  

I'm gonna give this a shot tomorrow in the office. Actually looking forward to going to work. Gonna hit the sack and report back tomorrow with update. Excellent!