How can i locate hubs and mini switches plugged into a cisco switch

Posted on 2009-02-07
Last Modified: 2012-05-06
I have a midsized network with about 300 devices running on cisco switches.  I want to start using portfast on all access ports but there are numerous mini switches and hubs spread throughout the netwpork.  How can find these devices without having to check every cubicle and office?

Any help would be very appreciated.
Question by:jdflory
    LVL 23

    Accepted Solution

    Specialized (very expensive)  Ethernet analyzer tools may be able to help answer that, but unless you have a  >$100k  budget for this project, it's probably a lot less expensive to go check every cubicle and office.

    One thing you can do is go to your managed switches and use the "show mac-address-table"  command
    and "show mac-address-table interface (INTERFACENAME)"

    Look at how many MAC addresses are attached to each port,  if it's more than 1 then there is some kind of switch definitely.

    Now use "show cdp neighbors", and show spanning-tree commands,  assuming you run CDP on your Cisco switches,  you should see which ports are actually your managed switches.

    The ports that don't have a Cisco switch on them but have multiple MAC addresses probably have one of those cheap 5-port switches attached.

    One evening,  get an announcement out telling everyone to shutdown their PCs when they go home,   or remotely shutdown all PCs  using  the "shutdown" commands.

    In any event, once all PCs are off, wait 5 minutes for the aging time, and start looking at  interface stats for ports that are still up and MAC address tables for connected devices.

    If a port is still up, but no MAC addresses show up, then it's probably a cheap switch keeping the port up,  go and verify.

    If a MAC address still shows up, then either it's someone who left their PC running,  or it's some other device attached to a 5-port switch.

    If the interface was up in the morning, but went down after people were leaving, then it's probably the case that it was just a PC shutdown...

    (Although there is a small possibility some nut  unplugs, powers off, or packs up their 5-port switch when they leave....  perhaps they have it plugged into a power strip  and turn off the power strip when you tell them to shutdown..

    a reason why remote shutdown may be best....)

    LVL 7

    Assisted Solution

    Turning off the PC's isn't enough, as most motherboards will keep the NIC active as long as power is supplied.

    Accordingly, the easiest way is to check the mac address table for each port on the switch, and then checking the MAC addresses for known cisco ranges ( if you think you may have another managed switch further along. Otherwise its fairly straightfoward - if there is more than one mac address in the table then then a switch or hub is attached to that port.
    LVL 10

    Assisted Solution

    What I would do - but mind you, I'm also vendictive.

    1.  Log in to your core switch.
    2.  show cdp neighbor /show cdp neighbor detail
    3.  Record trunk ports between cisco switches.
    4.  Continue mapping till all cisco devices accounted for/identified.
    5.  Ensure that all cisco devices are named.
    6.  At farthest end from core, on trunks - sw encap dot1q and then sw mode trunk
    7.  On all non-trunk ports, change port type to access - sw mode acc
    8.  Shortcut - if you are running newer switches with smartports - use cisco switch manager software to view your ports and see which ones are using the incorrect port types by the software - investigate these.
    9.  (How I would complete)  On access ports, set port-security
    switchport portsec
    sw portsec mac sticky
    sw portsec vio shutdown

    Wait for users to start calling!

    Check the ports that are shutdown, these will be your multi-mac ports - urika!!!  Switch/hub or port hoppers!!

    LVL 16

    Assisted Solution

    by:Aaron Street
    Like others here I would suggest going round each switch and looking at the mac tables to see any port that have mutiply mac address.

    you could also turn on port security on all non trunked ports and set the make allowed MAc address as 1. then set the action taken to only log, rather than shut down the port.

    Setting up port security is very stright forward. and you would usualy use it by assiginging a single mac address to a port and blocking access to any other. (so people can't plug in a non work computer to the network)

    however you can as i decribed set up a limit to the number of seperate mac taht can access the network through a single port. as a Hub will show as many mac, they switch will alert. but setting it to only alert you dont casue people to lose connection but you will see errors on the switch highlighting the ports. stoping people pluging hubs in to the network is another big use for port security

    you could also set up a basic syslog server (where the switch sends its logging to a remote server) you can down load this free for a basic one. then you have all you switchs log to the one server and set a filter for port security errors.

    Ok its a bit more settign up (but only takes 5 min a switch and I can find the commands for you if you want) and you end up with a syslog server, which belive me is a great system to have in place. not only will it alert you to port security errors, but you can also see all errors on the switchs in a central place.

    LVL 79

    Assisted Solution

    You can also try Solarwinds' switchport mapper. Great tool to have around
    LVL 4

    Expert Comment

    by:CCI_IT can turn on port security with a maximum mac address of 1 and a shutdown violation. Whatever turns off..........has a switch or a hub connected. be prepared for loss of connectivity though.

    Author Comment

    Thanks for everyones input.

    This was all great input.  One peice of information i did not mention was that the majority of computers uplinked through a nortel phone meaning that the line is always active and that most have multiple mac addresses.  I also found that most of our computers keep an active link even when shutdown due to wak on lan functionality.

    Bottom line is i am using a combination of almost everyones input except CCI_it because this was already stated in an earlier comment.  I ended up crawling under desks for the most part but for the mini switches that were not on documented ports i am going to look at address tables and use the link provided for mac address by vendor then maybe dot the port security method but with logging only.  

    I wiil also take a look at switchport mapper as long as the trial will run in full mode for 30 days.

    The next thing i will do is use BPDU gaurd to prevent this from happening again.

    I will devide points up between the first five in the thread.



    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

     One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now