Need an alert when unauthorized device plugs into LAN

Posted on 2014-01-15
Last Modified: 2014-01-23
Hello Experts - I'm looking for a way to generate an email alert anytime an unauthorized device is plugged into my LAN.  No other action needs to take place, just a simple email letting me know someone has plugged in, preferably along with details including what port and perhaps information about the device.  I'm using a Cisco 4510 switch, a 5510 ASA, and a 2811 gateway.  Thanks in advance for any advice!
Question by:First Last
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 25

Accepted Solution

Cyclops3590 earned 500 total points
ID: 39782862
Since its a small network I would look into arpwatch.  It sees when an IP/mac pair changes or a new one is seen and emails you immediately.  you can then look that mac address up using 'sh mac-address-table' (might be 'sh mac address-table' on your switch) to find the port its connected to

Author Comment

by:First Last
ID: 39782927
Looks interesting but not quite what I am looking for.  I'd prefer something Windows based and that would only alert me when an unauthorized device was plugged in.  This might provide a little too much information since I'd get an email any time someone moved with a laptop as an example.  Still, if nothing else comes up this could be handy, thanks!
LVL 25

Expert Comment

ID: 39782938
actually it wouldn't alert just with a laptop moving.  that laptop must get a new IP as well.  arpwatch doesn't care about switch ports, only IP to mac mappings.

so do you only want to be alerted if an "unauthorized" client connects or prefer to block them to begin with?  also, define unauthorized.  most tools are not going to know the difference.
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).


Author Comment

by:First Last
ID: 39782957
Ah, ok, that's better than I thought then.  I don't want to block anyone, just get an email when a device that isn't plugged in now gets plugged in later.  I pictured doing a network scan and collecting a small database of what would constitute authorized devices. Any device connecting to the LAN not already in the database would trigger the alert.
LVL 25

Expert Comment

ID: 39782968
that would definitely work to.  and the database could easily be a flat file that way (since you're on windows) you could, in your script, use the find command to quickly compare.  then could just put it as a scheduled job that fires off every X minutes to do the comparison and email.  would be a simple batch or powershell script really.
LVL 46

Expert Comment

by:Craig Beck
ID: 39792377
ARPWatch is good but it will need an interface to be present in each VLAN you want to monitor.

If you only have one VLAN it's not a problem, but ARP doesn't work across routers so you'd need the PC running ARPWatch to have multiple interfaces if you do.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Usage of Prefix-List 5 41
802.1x and RDP Issues 6 74
Change to New Domain, carry Wks configs foward? 4 23
PoE Injector and switch 2 9
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question