Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Rogue Switches

Joe Jones_2
Occasional Contributor

Rogue Switches

Hello,

I was wondering what everyone else what doing to fight the battle of employees or contractors bringing in their own switches and hooking them up to the network.

Thanks
Shit happens get over it
4 REPLIES
Matt Hobbs
Honored Contributor

Re: Rogue Switches

With your good ProCurve switches you can enable port-security to continously learn only only 1 mac-address per port and sending an SNMP trap if this limit is exceeded. This will only really work for switches though and not NAT devices that hide everything behind the one IP and mac-address.

Your best option is 802.1X, but it's not so simple to implement.
Mohieddin Kharnoub
Honored Contributor

Re: Rogue Switches

Hi

I agree with Matt, Port Security is your best solution with one MAC address that can be learned dynamically.

802.1x can also help but its not meant to that purpose.

Deploying port security is easy :
http://cdn.procurve.com/training/Manuals/3500-5400-6200-8200-ASG-Jan08-14-PortSecurity.pdf

Good Luck !!!
Science for Everyone
Joe Jones_2
Occasional Contributor

Re: Rogue Switches

Thanks guys! I will try that!
Shit happens get over it
Case Van Horsen
Frequent Advisor

Re: Rogue Switches

Be aware that enable port-security to limit the number of MAC addresses that a port can learn also enables eavesdrop protection. With eavesdrop protection enabled, the switch will not broadcast unknown unicast packets to all ports on the switch. Instead, unicast packets with an unknown destination are dropped. This breaks the standard process by which switches learn MAC addresses.

Port security requires support for DHCP snooping or some other mechanism for the switch to learn MAC addresses.

It will seem to work most of the time but there will be intermittant problems that are difficult to troubleshoot. You can try to mask the issue by changing timers but you can't guarantee a fix.

In my opinion, limiting the number of MAC addresses on a port should be kept separate from eavesdrop protection.

casevh