We help IT Professionals succeed at work.

How can i locate hubs and mini switches plugged into a cisco switch

Medium Priority
Last Modified: 2012-05-06
I have a midsized network with about 300 devices running on cisco switches.  I want to start using portfast on all access ports but there are numerous mini switches and hubs spread throughout the netwpork.  How can find these devices without having to check every cubicle and office?

Any help would be very appreciated.
Watch Question

Specialized (very expensive)  Ethernet analyzer tools may be able to help answer that, but unless you have a  >$100k  budget for this project, it's probably a lot less expensive to go check every cubicle and office.

One thing you can do is go to your managed switches and use the "show mac-address-table"  command
and "show mac-address-table interface (INTERFACENAME)"

Look at how many MAC addresses are attached to each port,  if it's more than 1 then there is some kind of switch definitely.

Now use "show cdp neighbors", and show spanning-tree commands,  assuming you run CDP on your Cisco switches,  you should see which ports are actually your managed switches.

The ports that don't have a Cisco switch on them but have multiple MAC addresses probably have one of those cheap 5-port switches attached.

One evening,  get an announcement out telling everyone to shutdown their PCs when they go home,   or remotely shutdown all PCs  using  the "shutdown" commands.

In any event, once all PCs are off, wait 5 minutes for the aging time, and start looking at  interface stats for ports that are still up and MAC address tables for connected devices.

If a port is still up, but no MAC addresses show up, then it's probably a cheap switch keeping the port up,  go and verify.

If a MAC address still shows up, then either it's someone who left their PC running,  or it's some other device attached to a 5-port switch.

If the interface was up in the morning, but went down after people were leaving, then it's probably the case that it was just a PC shutdown...

(Although there is a small possibility some nut  unplugs, powers off, or packs up their 5-port switch when they leave....  perhaps they have it plugged into a power strip  and turn off the power strip when you tell them to shutdown..

a reason why remote shutdown may be best....)

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Turning off the PC's isn't enough, as most motherboards will keep the NIC active as long as power is supplied.

Accordingly, the easiest way is to check the mac address table for each port on the switch, and then checking the MAC addresses for known cisco ranges (http://standards.ieee.org/regauth/oui/oui.txt) if you think you may have another managed switch further along. Otherwise its fairly straightfoward - if there is more than one mac address in the table then then a switch or hub is attached to that port.
atlas_shudderedSr. Network Engineer
What I would do - but mind you, I'm also vendictive.

1.  Log in to your core switch.
2.  show cdp neighbor /show cdp neighbor detail
3.  Record trunk ports between cisco switches.
4.  Continue mapping till all cisco devices accounted for/identified.
5.  Ensure that all cisco devices are named.
6.  At farthest end from core, on trunks - sw encap dot1q and then sw mode trunk
7.  On all non-trunk ports, change port type to access - sw mode acc
8.  Shortcut - if you are running newer switches with smartports - use cisco switch manager software to view your ports and see which ones are using the incorrect port types by the software - investigate these.
9.  (How I would complete)  On access ports, set port-security
switchport portsec
sw portsec mac sticky
sw portsec vio shutdown

Wait for users to start calling!

Check the ports that are shutdown, these will be your multi-mac ports - urika!!!  Switch/hub or port hoppers!!

Aaron StreetTechnical Infrastructure Architecture and Global Network Manager
Like others here I would suggest going round each switch and looking at the mac tables to see any port that have mutiply mac address.

you could also turn on port security on all non trunked ports and set the make allowed MAc address as 1. then set the action taken to only log, rather than shut down the port.

Setting up port security is very stright forward. and you would usualy use it by assiginging a single mac address to a port and blocking access to any other. (so people can't plug in a non work computer to the network)

however you can as i decribed set up a limit to the number of seperate mac taht can access the network through a single port. as a Hub will show as many mac, they switch will alert. but setting it to only alert you dont casue people to lose connection but you will see errors on the switch highlighting the ports. stoping people pluging hubs in to the network is another big use for port security

you could also set up a basic syslog server (where the switch sends its logging to a remote server) you can down load this free for a basic one. then you have all you switchs log to the one server and set a filter for port security errors.

Ok its a bit more settign up (but only takes 5 min a switch and I can find the commands for you if you want) and you end up with a syslog server, which belive me is a great system to have in place. not only will it alert you to port security errors, but you can also see all errors on the switchs in a central place.

Les MooreSr. Systems Engineer
Top Expert 2008
You can also try Solarwinds' switchport mapper. Great tool to have around

or.................you can turn on port security with a maximum mac address of 1 and a shutdown violation. Whatever turns off..........has a switch or a hub connected. be prepared for loss of connectivity though.


Thanks for everyones input.

This was all great input.  One peice of information i did not mention was that the majority of computers uplinked through a nortel phone meaning that the line is always active and that most have multiple mac addresses.  I also found that most of our computers keep an active link even when shutdown due to wak on lan functionality.

Bottom line is i am using a combination of almost everyones input except CCI_it because this was already stated in an earlier comment.  I ended up crawling under desks for the most part but for the mini switches that were not on documented ports i am going to look at address tables and use the link provided for mac address by vendor then maybe dot the port security method but with logging only.  

I wiil also take a look at switchport mapper as long as the trial will run in full mode for 30 days.

The next thing i will do is use BPDU gaurd to prevent this from happening again.

I will devide points up between the first five in the thread.


Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.