Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I prevent and/or detect a user from adding a router to the network

Posted on 2009-05-06
4
Medium Priority
?
334 Views
Last Modified: 2012-05-06
I have a network setup at a church.  We are running Windows Server 2003 with a Sonic Wall TZ170 router/firewall which is the DHCP server.  All is configured properly and everything runs well until some genius decides to bring in their own router and plug it into the system.  The basic problem is that they don't know the difference between a wireless access point which I wouldn't care about and a router.  Once someone does this it creates havoc on the system and takes us hours to locate the device.  How can I either block another router from going onto the network or at the very least easily detect and determine it's location?  The simple answer is to tell everyone not to do such things but that has not worked.
0
Comment
Question by:PhilR714
4 Comments
 
LVL 10

Expert Comment

by:lanboyo
ID: 24314260
The short answer is that it depends entirely upon how much work you want to go to to police this. Also more knowledge of your network is needed. What type of Ethernet switches do you have?

I assume that the user plugged in the router on the lan side of the router instead of the man side and the new DHCP server gave your real users bad IP addresses and gateways, or it added a new host with the IP of your default gateway.

If the user does not make an attempt at hiding the router/access point then it is possible to scan for the mac addresses of the router vendors.

A new switch device, which is what these things are on the LAN side, can be prevented on Cisco switches by the global command:

spanning-tree portfast bpduguard

This will cause any port with spanning tree portfast,  to error disable any port that gets a new switch or hub added to it. You can also put a mac limit on the switch so that switches without spanning tree are disabled as well.

You can also scan wireless networks using a dedicated box to make sure that no new access points appear on the network, but if the church is close to other homes and businesses, this is not an exact science.

If your ethernet switches support it you can set up mac filters that prevent any devices that you do not explicitly allow onto the network.  As you allow guests onto the network this would seem to be a rather annoying amount of work.

You can isolate the guest portion of the network by putting any devices you do not control on their own network, perhaps using your own access point with the wan point facing your network and the man point facing them. This only works if your Ethernet switches support vlans and you can give them a separate vlan or their own switch. Users could still break things for other guests.

The corporate solution for this type of thing is 802.1x. This is a big step and requires all workstations to have an 802.1x supplicant in order to talk on the network.


0
 
LVL 16

Expert Comment

by:SteveJ
ID: 24315071
Turn off DHCP. Assign IP addresses to legit users, block all other unassigned IP addresses on the Sonic wall. If anyone wants to "add" to the network, they can find you.

Yes, it's a pain. But without throwing dollars and technology at it, you don't have much choice.

Good luck,
Steve
0
 
LVL 2

Expert Comment

by:ngaba
ID: 24336340
You can also set up max mac address counts on each interface on the switch. This will only allow x amount of mac-addresses for that switch port. If you set it to 1, and someone plugs a router in and use their pc as well, it will shut the port down.
0
 

Accepted Solution

by:
PhilR714 earned 0 total points
ID: 24340009
All of the switches are unmanaged so there isn't anyway to configure them  I doub't they are going to want to go to managed switches.  The users are not making any attempt to hide the router.  Most of them don't know that they are routers anyway.  They think they are putting in a wireless access point.  As much as I hate to say it I may have to go with the static IP addresses that SteveJ suggested.  It is a very big building with Cat% jackes everywhere so at anytime someone could plug something in.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question