Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Locating unauthorized, unmanaged hubs?

SOLVED
Go to solution
Preston Gallwas
Valued Contributor

Locating unauthorized, unmanaged hubs?

Some users on our network have apparently taken it upon themselves to bring in equipment from outside our network and hook it up. We've had reports that these hubs have been hooked up, and we're assuming their unmanaged. Is there a way to effectively locate these...parasites...remotely?
14 REPLIES
Les Ligetfalvy
Esteemed Contributor
Solution

Re: Locating unauthorized, unmanaged hubs?

You could do better. You could set MAC address security to continuous learn and kill anything with more than one MAC per port.

If you are not ready for such drastic action, you would need to query the MAC addresses of all the ports that are not ISL. Those with more than one MAC would have a hub/switch/WAP attached.
Preston Gallwas
Valued Contributor

Re: Locating unauthorized, unmanaged hubs?

Okay les, on a 2600 series running 8.53, would i just "show mac"
?

Manfred Arndt
Valued Contributor

Re: Locating unauthorized, unmanaged hubs?

Correct, use "show mac-address". You can also list them by port or VLAN.

You can also do this using SNMP via the dot1dTpFdbTable within the Bridge MIB.

1.3.6.1.2.mib2(1).dot1dBridge(17).dot1dTp(4).dot1dTpFdbTable(3)
Les Ligetfalvy
Esteemed Contributor

Re: Locating unauthorized, unmanaged hubs?

IMHO, rogue device detection should be included in any decent NMS app. Even worse than unmanaged hubs/switches are when users attach wireless access points.
rick jones
Honored Contributor

Re: Locating unauthorized, unmanaged hubs?

An unmanaged hub would be, effectively, a passive device and not say anything on the network itself.

The suggestions to look for more than one MAC address at ingress to your switch ports is probably the best you can do, but keep in mind it may have false positives and false negatives.

The false positives might include single systems running virutal machines - they can have several MAC addresses.

The false negatives might include people with the hub, but only one system connected to it.

That you are getting reports of people bringing-in hubs suggests they are looking to solve problems with the current setup. You may want to go beyond finding the hubs and figure-out why people are adding the hubs in the first place and address that too.

Unless you are running with spanning tree disabled, I'm not sure what "harm" could come from folks having hubs in their offices - heck or even switches for that matter. Is there a specific concern you have with people having hubs?
there is no rest for the wicked yet the virtuous have no pillows
Preston Gallwas
Valued Contributor

Re: Locating unauthorized, unmanaged hubs?

We're a school district, and we must enforce the policy, number one.

In addition to that, there are technical issues that arise, such as the fact that we are operating without spanning tree (which I have been a big proponent of getting it turned on, but there was an issue years ago with STP not allowing the Novell client to authenticate. I believe it was solved with portfast, or, RSTP, but I have not tested that...and its been an uphill battle getting that arena set up.), managing things with an IT department that is clearly understaffed...etc.

rick jones
Honored Contributor

Re: Locating unauthorized, unmanaged hubs?

Running without spanning tree... doubleplusungood. I guess that explains the need to be so draconian about the hubs and other devices. Interesting how it all starts to build on itself isn't it?
there is no rest for the wicked yet the virtuous have no pillows
Preston Gallwas
Valued Contributor

Re: Locating unauthorized, unmanaged hubs?

yeah. likewise, if you have any resources for best practices of moving towards a STP implementation...I'd love to see it. We've got 65 subnets across approx 45 locations...

I'd love to study up and make a case for deploying it once i make sure out network functions with it enabled (netware client, other apps, etc)
rick jones
Honored Contributor

Re: Locating unauthorized, unmanaged hubs?

Are you trying to run a flat network across those 45 locations?

Since STP doesn't cross routers, ass-u-me-ing each separate location is one or more IP subnets, the number of locations should be a don't care for STP.
there is no rest for the wicked yet the virtuous have no pillows
Preston Gallwas
Valued Contributor

Re: Locating unauthorized, unmanaged hubs?

27 locations are 1 IP subnet per location, (elementary schools and support sites)

6 of them have 2 IP subnets

Our high schools have between 4 and 8 subnets...


What do you mean by flat network? We're Hub-n-spoke here...

CISCO7000 --WAN -->Cisco2600-->HP ProCurve 2600 series stack

Is generally the setup for all sites
rick jones
Honored Contributor

Re: Locating unauthorized, unmanaged hubs?

one flat network would be one broadcast domain - i was guessing at that since you were asserting that enabling STP was a problem because of the number of sites involved. since STP would not cross routers, the only way the number of sites could be an issue were if you were trying to run a flat network.

so on the surface at least it would seem that enabling STP wouldn't be that big a deal?
there is no rest for the wicked yet the virtuous have no pillows
Preston Gallwas
Valued Contributor

Re: Locating unauthorized, unmanaged hubs?

No...unless it breaks some sort of novell login...again, I believe RSTP is the fix for this.

Is implementation pretty straightforward?

Are KNOWN uplink ports the only ones we need identify? is there a way to automatically identify?
rick jones
Honored Contributor

Re: Locating unauthorized, unmanaged hubs?

this may be getting a bit beyond the scope ofthe thread - ifyou want to switch to email - rick.jones2@hp.com.

anyway, i was meaning to ask about that STP broke novell login bit - do you have details of exactly how novell login cared about spanning tree?
there is no rest for the wicked yet the virtuous have no pillows
Preston Gallwas
Valued Contributor

Re: Locating unauthorized, unmanaged hubs?

E-mail sent, closing thread.