[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Prevent users from installing hubs on the business network

Posted on 2012-09-05
15
Medium Priority
?
961 Views
Last Modified: 2012-09-06
My network consist of 4 Cisco Switches.   During a random audit yesterday, I found two locations where a user installed a linksys hub/switch is a conference room.  Is there anything I can do to eliminate this with some type of switch port configuration?  I don't want the users to be able to install little 4 port hubs and switches.  Thanks.
0
Comment
Question by:denver218
  • 4
  • 4
  • 3
  • +3
15 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 38367895
I don't think so. These little hub/switches are just stupid devices that operate totally at Layer 2; there's no IP or other identifying information. They are in fact a simple pass thru.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 38367900
You could use switchport port-security to limit the number of MAC addresses on a port. When placing a hub you would get more than one on one port and the port will be blocked.

Have a look at: http://www.techrepublic.com/article/lock-down-cisco-switch-port-security/6123047
0
 
LVL 11

Expert Comment

by:John Easton
ID: 38367908
If you are using managed switches you may be able to limit the number of MAC addresses so even if they add a hub only one device will be able to be connected to it.

See this page on the CISCO forum for a bit more information:  https://learningnetwork.cisco.com/thread/40939
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 4

Author Comment

by:denver218
ID: 38367924
I was just looking into port security.  Question though, I have an ASA5505 plugged into one of my cisco switches.  I have all my Wireless Access Points plugged into the ASA5505.  Now does the ASA only forward its own mac-address to the switch, or does it forward all mac-addresses?  I just don't want to limit that switchport to one mac-address and have a problem.
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 2000 total points
ID: 38367945
You can limit it on a per-port base. So just don't enable portsecurity on the ports that don't need it (like the port for the ASA).
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 38367947
Do these things even have MAC addresses?  I looked at a couple of our hub/switches and I do not see any indication of a MAC address.
0
 
LVL 10

Expert Comment

by:mark_harris231
ID: 38367984
<soapbox>
Agree with prior posts from a technical solution to the question as asked, but I would recommend that you consider from the user's perspective - what business issue/challenge were they trying to solve? - and provide a solution instead of "just another IT restriction".  IT often suffers from a "public-relations" perspective, where users see IT as an obstacle to business.  By engaging with the users to see what they're trying to do & why, and providing solutions (or gently educating as to why it's not practical/possible), you can help develop a better reputation with the end-user community - one where they'll be less inclined to try to find ways around IT.
</soapbox>
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38368010
@jhyiesla: no they (hubs) don't (managed switches do). But from the cisco switch's perspective it is seeing multiple MAC's on that port (machines connected through that hub), hence it will block.
0
 
LVL 2

Expert Comment

by:ABCStore
ID: 38368202
If that situation is really creating problems then you need an IT POLICY within your company.
0
 
LVL 4

Author Comment

by:denver218
ID: 38369193
I'm not at all trying to add another IT restriction.  I have do not have a problem at all running more lines or installing another managed switch to accommodate my users.  You know as well as I know that having a hub, not a switch, is not good network practice.  I think I will implement port security so only only one mac-address will have access.  I've found an Access point as well as two hubs over the past two months at this clients location.  I just want to put an end to it, or make it harder for them to install this equipment.  I need to get them used to coming to IT if they have a request.
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 38369222
erniebeek...yep you're right... hadn't thought of that...not enough Dew yet today :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38369238
Sounds familiar :)
0
 
LVL 10

Expert Comment

by:mark_harris231
ID: 38369298
@denver218 - Speaking for myself, I meant no offense.  Just wanted to acknowledge the user perspective.  Coming from a background of an outsourced IT service provider, we had to be acutely aware of developing effective end-user rapport as, even moreso than in-house IT, we were "outsiders" in the truest sense of the word.

I'm fully in support of placing technical restrictions as needed, because you will alway have the rogue end-users that think they know more than they actually do, or know better for the business than IT.  But to be truly effective, IT has to make sure that they employ equal measures of "carrot" and "stick" (and make sure that the end-users are aware of the "carrot").

Cheers!

Mark
0
 
LVL 4

Author Comment

by:denver218
ID: 38369761
No offense taken at all.  Thanks for your input.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 38371752
Thanks
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question