well, that's practically a "layer 8" problem. Does your organization have a security policy that spells out to users that no - you cannot attach a hub your port?
If it's not forbidden then why restrict it? You speak of administrative burden, once the troops figure out what you've done will they have recourse to a manager that can order you to let them have their hub? As is often asked here, what problem are you trying to solve? If users need more connectivity can they get it? Do you need to be looking at putting in more switches/ports? I have used port security and it works but we have a security policy that spells out - no hubs. Kevin Wigle ----- Original Message ----- From: "John Zaggat" To: Sent: Saturday, October 05, 2002 11:30 PM Subject: Re: How to restrict hubs in a LAN [7:54937] > Thanks guys that's pretty good information, but do you think in your opinion > is that good approach to deal with this problem. Do you see any caveats and > are there any other ways this can be dealt with. > ""Kevin Wigle"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > take a look into Port Security. > > > > > http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration > > _guide_chapter09186a008007f2dd.html > > > > In the event of a security violation, you can configure the port to go > into > > shutdown mode or restrictive mode. The shutdown mode option allows you to > > specify whether the port is permanently disabled or disabled for only a > > specified time. The default is for the port to shut down permanently. The > > restrictive mode allows you to configure the port to remain enabled during > a > > security violation and drop only packets that are coming in from insecure > > hosts. > > > > Kevin Wigle > > > > > > ----- Original Message ----- > > From: "John Zaggat" > > To: > > Sent: Saturday, October 05, 2002 5:01 PM > > Subject: How to restrict hubs in a LAN [7:54937] > > > > > > > I am just trying to think of how to restrict Hubs from being used in the > > > LAN. Politically it's a mess and despite a lot of discussions certain > > people > > > are able to add hubs at will where ever they want. So I was trying to > > think > > > of a way to stop that within the switch. Now normally these ports that > the > > > hubs are connected to show several mac addresses when I do "show cam" > > which > > > gives me an idea is there any way to restrict host ports to only accept > > one > > > mac-address. I don't want to hardcode the mac-address because that would > > be > > > too much a administrative burden. But if I could restrict the port to > > accept > > > just one mac-address then that will make these hubs useless. Well > anyways > > > let me know if I am way off here but are there any other tricks in use > by > > > any of you guys. I'll appreciate any pointers. > > > JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54951&t=54937 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
