Need an alert when unauthorized device plugs into LAN

Posted on 2014-01-15
Last Modified: 2014-01-23
Hello Experts - I'm looking for a way to generate an email alert anytime an unauthorized device is plugged into my LAN.  No other action needs to take place, just a simple email letting me know someone has plugged in, preferably along with details including what port and perhaps information about the device.  I'm using a Cisco 4510 switch, a 5510 ASA, and a 2811 gateway.  Thanks in advance for any advice!
Question by:First Last
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 25

Accepted Solution

Cyclops3590 earned 500 total points
ID: 39782862
Since its a small network I would look into arpwatch.  It sees when an IP/mac pair changes or a new one is seen and emails you immediately.  you can then look that mac address up using 'sh mac-address-table' (might be 'sh mac address-table' on your switch) to find the port its connected to

Author Comment

by:First Last
ID: 39782927
Looks interesting but not quite what I am looking for.  I'd prefer something Windows based and that would only alert me when an unauthorized device was plugged in.  This might provide a little too much information since I'd get an email any time someone moved with a laptop as an example.  Still, if nothing else comes up this could be handy, thanks!
LVL 25

Expert Comment

ID: 39782938
actually it wouldn't alert just with a laptop moving.  that laptop must get a new IP as well.  arpwatch doesn't care about switch ports, only IP to mac mappings.

so do you only want to be alerted if an "unauthorized" client connects or prefer to block them to begin with?  also, define unauthorized.  most tools are not going to know the difference.
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.


Author Comment

by:First Last
ID: 39782957
Ah, ok, that's better than I thought then.  I don't want to block anyone, just get an email when a device that isn't plugged in now gets plugged in later.  I pictured doing a network scan and collecting a small database of what would constitute authorized devices. Any device connecting to the LAN not already in the database would trigger the alert.
LVL 25

Expert Comment

ID: 39782968
that would definitely work to.  and the database could easily be a flat file that way (since you're on windows) you could, in your script, use the find command to quickly compare.  then could just put it as a scheduled job that fires off every X minutes to do the comparison and email.  would be a simple batch or powershell script really.
LVL 46

Expert Comment

by:Craig Beck
ID: 39792377
ARPWatch is good but it will need an interface to be present in each VLAN you want to monitor.

If you only have one VLAN it's not a problem, but ARP doesn't work across routers so you'd need the PC running ARPWatch to have multiple interfaces if you do.

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question