topic Locating unauthorized, unmanaged hubs? in Switches, Hubs, and Modems

Locating unauthorized, unmanaged hubs?

Preston Gallwas — Fri, 23 Sep 2005 12:43:42 GMT

Some users on our network have apparently taken it upon themselves to bring in equipment from outside our network and hook it up. We've had reports that these hubs have been hooked up, and we're assuming their unmanaged. Is there a way to effectively locate these...parasites...remotely?

Re: Locating unauthorized, unmanaged hubs?

Les Ligetfalvy — Fri, 23 Sep 2005 12:48:05 GMT

You could do better. You could set MAC address security to continuous learn and kill anything with more than one MAC per port.

If you are not ready for such drastic action, you would need to query the MAC addresses of all the ports that are not ISL. Those with more than one MAC would have a hub/switch/WAP attached.

Re: Locating unauthorized, unmanaged hubs?

Preston Gallwas — Fri, 23 Sep 2005 13:08:23 GMT

Okay les, on a 2600 series running 8.53, would i just "show mac"
?

Re: Locating unauthorized, unmanaged hubs?

Manfred Arndt — Fri, 23 Sep 2005 15:07:38 GMT

Correct, use "show mac-address". You can also list them by port or VLAN.

You can also do this using SNMP via the dot1dTpFdbTable within the Bridge MIB.

1.3.6.1.2.mib2(1).dot1dBridge(17).dot1dTp(4).dot1dTpFdbTable(3)

Re: Locating unauthorized, unmanaged hubs?

Les Ligetfalvy — Sat, 24 Sep 2005 08:25:23 GMT

IMHO, rogue device detection should be included in any decent NMS app. Even worse than unmanaged hubs/switches are when users attach wireless access points.

Re: Locating unauthorized, unmanaged hubs?

rick jones — Mon, 26 Sep 2005 11:44:29 GMT

An unmanaged hub would be, effectively, a passive device and not say anything on the network itself.

The suggestions to look for more than one MAC address at ingress to your switch ports is probably the best you can do, but keep in mind it may have false positives and false negatives.

The false positives might include single systems running virutal machines - they can have several MAC addresses.

The false negatives might include people with the hub, but only one system connected to it.

That you are getting reports of people bringing-in hubs suggests they are looking to solve problems with the current setup. You may want to go beyond finding the hubs and figure-out why people are adding the hubs in the first place and address that too.

Unless you are running with spanning tree disabled, I'm not sure what "harm" could come from folks having hubs in their offices - heck or even switches for that matter. Is there a specific concern you have with people having hubs?

Re: Locating unauthorized, unmanaged hubs?

Preston Gallwas — Mon, 26 Sep 2005 13:31:33 GMT

We're a school district, and we must enforce the policy, number one.

In addition to that, there are technical issues that arise, such as the fact that we are operating without spanning tree (which I have been a big proponent of getting it turned on, but there was an issue years ago with STP not allowing the Novell client to authenticate. I believe it was solved with portfast, or, RSTP, but I have not tested that...and its been an uphill battle getting that arena set up.), managing things with an IT department that is clearly understaffed...etc.

Re: Locating unauthorized, unmanaged hubs?

rick jones — Mon, 26 Sep 2005 13:35:16 GMT

Running without spanning tree... doubleplusungood. I guess that explains the need to be so draconian about the hubs and other devices. Interesting how it all starts to build on itself isn't it?

Re: Locating unauthorized, unmanaged hubs?

Preston Gallwas — Mon, 26 Sep 2005 13:58:20 GMT

yeah. likewise, if you have any resources for best practices of moving towards a STP implementation...I'd love to see it. We've got 65 subnets across approx 45 locations...

I'd love to study up and make a case for deploying it once i make sure out network functions with it enabled (netware client, other apps, etc)

Re: Locating unauthorized, unmanaged hubs?

rick jones — Mon, 26 Sep 2005 14:08:20 GMT

Are you trying to run a flat network across those 45 locations?

Since STP doesn't cross routers, ass-u-me-ing each separate location is one or more IP subnets, the number of locations should be a don't care for STP.

Re: Locating unauthorized, unmanaged hubs?

Preston Gallwas — Wed, 28 Sep 2005 11:44:24 GMT

27 locations are 1 IP subnet per location, (elementary schools and support sites)

6 of them have 2 IP subnets

Our high schools have between 4 and 8 subnets...

What do you mean by flat network? We're Hub-n-spoke here...

CISCO7000 --WAN -->Cisco2600-->HP ProCurve 2600 series stack

Is generally the setup for all sites

Re: Locating unauthorized, unmanaged hubs?

rick jones — Wed, 28 Sep 2005 11:50:48 GMT

one flat network would be one broadcast domain - i was guessing at that since you were asserting that enabling STP was a problem because of the number of sites involved. since STP would not cross routers, the only way the number of sites could be an issue were if you were trying to run a flat network.

so on the surface at least it would seem that enabling STP wouldn't be that big a deal?

Re: Locating unauthorized, unmanaged hubs?

Preston Gallwas — Wed, 28 Sep 2005 12:04:42 GMT

No...unless it breaks some sort of novell login...again, I believe RSTP is the fix for this.

Is implementation pretty straightforward?

Are KNOWN uplink ports the only ones we need identify? is there a way to automatically identify?

Re: Locating unauthorized, unmanaged hubs?

rick jones — Wed, 28 Sep 2005 12:08:02 GMT

this may be getting a bit beyond the scope ofthe thread - ifyou want to switch to email - rick.jones2@hp.com.

anyway, i was meaning to ask about that STP broke novell login bit - do you have details of exactly how novell login cared about spanning tree?

Re: Locating unauthorized, unmanaged hubs?

Preston Gallwas — Wed, 28 Sep 2005 12:10:59 GMT

E-mail sent, closing thread.