Re: How to restrict hubs in a LAN [7:54937]
Thanks for the details, Chuck. The number of MAC addresses that a switch can learn can indeed be an issue, although the number tends to be pretty big these days. It's helpful to know that the actual number depends on features that are enabled, amount of memory, etc. It's worth giving some thought to what happens if a switch can't remember all the addresses that it sees... Thought. Thought. and doesn't store all the addresses in a bridging table that says which port to use Thought. Thought. The switch floods! When frames arrive with a destiation MAC address that is not in the bridging table, the switch must flood the packet out all interfaces. Needless to say, this wastes bandwidth. Here's a story from Troubleshooting Campus Networks: One of the authors was called in to troubleshoot a hospital campus network consisting of several buildings, star-connected back to a central data center. Each remote building had an edge switch with a fiber connection back to the data center. In the data center it was found that entire bidirectional conversations between clients in remote buildings and servers in the same remote building were visible on the data center backbone. At first it was thought that the forwarding path between a client and server was extending through the data center somehow, which was not the intent of the network design. Upon further analysis, it was discovered that the switches used in the remote buildings only supported 256 MAC addresses in the bridging tables. Consequently, with over 500 users in each remote building, it was common for many addresses to become unknown. The recommendation was made to replace the remote building switches with ones having greater capacity, thereby eliminating the unnecessary traffic on the data center backbone. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Chuck's Long Road wrote: Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Daren Presbitero wrote: Isn't there a limitation on the number of MACs that a port will handle? Probably, but I bet the number is way bigger than he needs to worry about. There's probably a max number of addresses for generic learning purposes CL: in case anyone is interested, the max number of macs supported on any of the Cisco switches is fluid, depending on other features turned on, amount of memory, etc. . The 3550 documentation states that depending upon the SDM template that is active, one may have anywhere from 2,000 to 12,000 unicast MAC's in the CAM table. I am assuming this means that if you have lots of hubs and switches daisy chanined down the line, that the MAC's of end stations will show up in the root switch CAM. Obviously, if all you have are end stations in a single switch, that number is smaller. CL: this does bring up a good point about size ( number of devices - servers, PC's, and other switches ) in a bridged network. and a max number related to port security, which appears to be 132 from an earlier post. There's also the issue of how many MACs can eat up all of the available 100 Mbps, but once again, that's the user's problem. Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? All the MAC addressess behind the hub will be visible to all the switched ports. Is that what you're getting at? It's a good point. The learning process will need to know about all the MACs. But the max number of MAC addresses that a switch can learn is large and not something he needs to worry about. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Co
Re: How to restrict hubs in a LAN [7:54937]
David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55028t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to
Re: How to restrict hubs in a LAN [7:54937]
Erick B. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Greg, Windows XP does this by default in some situations. Talk about giving the users enough rope to hang themselves! ;-) I guess Microsoft does that as much as Cisco does. One final comment on the idea of giving the users a low-end switch. The comment also applies to the XP machine becoming a bridge. You will want to have good control of which switch in your campus network becomes the root, using the various Cisco featuers like root guard, etc. This could make for a great troubleshooting exercise. Have a low-end user's Windows XP machine become the root of a large campus network and see what happens!? Anyway, please keep us posted if you can, John. It will be informative for us all to learn how you work this out, even if the major issues are L8 and not the more technical lower layers. Thanks. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com If you have a PC with a Ethernet NIC and firewire adapter, it will bridge the 2 interfaces together and create a logical L3 interface that the protocols are bound to all by default. --- Greg Reaume wrote: John, If WindowsXP is bridging two NICs it actually runs spanning-tree. It is a very nice feature for L1 redundancy. Though in your scenario I don't really see why they think that's necessary. I'm planning to use this functionality in the upcoming Windows.NET server to multihome all my servers, as long as it supports the concept of a loopback or virtual interface for L3 connectivity, to two different switches to protect against 48 servers failing because a switch burns out. I just wish MS had an add-on for Windows2K Server with this functionality so I don't have to wait. Check out these links: http://www.microsoft.com/WindowsXP/pro/techinfo/administration/homenetbridge /default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/c ableguy/cg0102.asp Correct me if I'm wrong but, from what I gather in your previous postings, loops seem to be your main concern. You say that it may very well be justified that these users need up to 5 PCs in their cube, or that you don't really want to get into that fight (whichever way you want to put it). You also say that it is very hard to run new drops. Why don't you take the approach of supporting them then, and instead of going through the work of running new drops, provide them with a small switch that runs spanning-tree. A 1548M (8-port desktop chassis) would do nicely for around $1K list. It allows for up to 4 local VLANs so the techs can do whatever they want on their own little switch. It also runs CDP so you can keep track of where they are through management tools like CiscoWorks, etc. If they want to clog up their link to the rest of the network with 5 PCs doing whatever, why not let them (as long as they do it safely)? Check here for more info on the 1548M: http://www.cisco.com/en/US/products/hw/switches/ps211/index.html HTH Greg Reaume JohnZ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you
RE: How to restrict hubs in a LAN [7:54937]
Isn't there a limitation on the number of MACs that a port will handle? Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any
RE: How to restrict hubs in a LAN [7:54937]
Daren Presbitero wrote: Isn't there a limitation on the number of MACs that a port will handle? Probably, but I bet the number is way bigger than he needs to worry about. There's probably a max number of addresses for generic learning purposes and a max number related to port security, which appears to be 132 from an earlier post. There's also the issue of how many MACs can eat up all of the available 100 Mbps, but once again, that's the user's problem. Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? All the MAC addressess behind the hub will be visible to all the switched ports. Is that what you're getting at? It's a good point. The learning process will need to know about all the MACs. But the max number of MAC addresses that a switch can learn is large and not something he needs to worry about. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - F
Re: How to restrict hubs in a LAN [7:54937]
Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Daren Presbitero wrote: Isn't there a limitation on the number of MACs that a port will handle? Probably, but I bet the number is way bigger than he needs to worry about. There's probably a max number of addresses for generic learning purposes CL: in case anyone is interested, the max number of macs supported on any of the Cisco switches is fluid, depending on other features turned on, amount of memory, etc. . The 3550 documentation states that depending upon the SDM template that is active, one may have anywhere from 2,000 to 12,000 unicast MAC's in the CAM table. I am assuming this means that if you have lots of hubs and switches daisy chanined down the line, that the MAC's of end stations will show up in the root switch CAM. Obviously, if all you have are end stations in a single switch, that number is smaller. CL: this does bring up a good point about size ( number of devices - servers, PC's, and other switches ) in a bridged network. and a max number related to port security, which appears to be 132 from an earlier post. There's also the issue of how many MACs can eat up all of the available 100 Mbps, but once again, that's the user's problem. Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? All the MAC addressess behind the hub will be visible to all the switched ports. Is that what you're getting at? It's a good point. The learning process will need to know about all the MACs. But the max number of MAC addresses that a switch can learn is large and not something he needs to worry about. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are ther
Re: How to restrict hubs in a LAN [7:54937]
See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54954t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54956t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report
Re: How to restrict hubs in a LAN [7:54937]
By default a port can learn 132 mac addresses on most switches. This can be restricted by the Port Secure Max-mac-count (1-132) command. If this is set to 1 it will not accept any additional Macs on the port. From: JohnZ Reply-To: JohnZ To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] Date: Sun, 6 Oct 2002 06:52:05 GMT Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden.
Re: How to restrict hubs in a LAN [7:54937]
John, If WindowsXP is bridging two NICs it actually runs spanning-tree. It is a very nice feature for L1 redundancy. Though in your scenario I don't really see why they think that's necessary. I'm planning to use this functionality in the upcoming Windows.NET server to multihome all my servers, as long as it supports the concept of a loopback or virtual interface for L3 connectivity, to two different switches to protect against 48 servers failing because a switch burns out. I just wish MS had an add-on for Windows2K Server with this functionality so I don't have to wait. Check out these links: http://www.microsoft.com/WindowsXP/pro/techinfo/administration/homenetbridge /default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/c ableguy/cg0102.asp Correct me if I'm wrong but, from what I gather in your previous postings, loops seem to be your main concern. You say that it may very well be justified that these users need up to 5 PCs in their cube, or that you don't really want to get into that fight (whichever way you want to put it). You also say that it is very hard to run new drops. Why don't you take the approach of supporting them then, and instead of going through the work of running new drops, provide them with a small switch that runs spanning-tree. A 1548M (8-port desktop chassis) would do nicely for around $1K list. It allows for up to 4 local VLANs so the techs can do whatever they want on their own little switch. It also runs CDP so you can keep track of where they are through management tools like CiscoWorks, etc. If they want to clog up their link to the rest of the network with 5 PCs doing whatever, why not let them (as long as they do it safely)? Check here for more info on the 1548M: http://www.cisco.com/en/US/products/hw/switches/ps211/index.html HTH Greg Reaume JohnZ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security.
Re: How to restrict hubs in a LAN [7:54937]
Greg, Windows XP does this by default in some situations. If you have a PC with a Ethernet NIC and firewire adapter, it will bridge the 2 interfaces together and create a logical L3 interface that the protocols are bound to all by default. --- Greg Reaume wrote: John, If WindowsXP is bridging two NICs it actually runs spanning-tree. It is a very nice feature for L1 redundancy. Though in your scenario I don't really see why they think that's necessary. I'm planning to use this functionality in the upcoming Windows.NET server to multihome all my servers, as long as it supports the concept of a loopback or virtual interface for L3 connectivity, to two different switches to protect against 48 servers failing because a switch burns out. I just wish MS had an add-on for Windows2K Server with this functionality so I don't have to wait. Check out these links: http://www.microsoft.com/WindowsXP/pro/techinfo/administration/homenetbridge /default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/c ableguy/cg0102.asp Correct me if I'm wrong but, from what I gather in your previous postings, loops seem to be your main concern. You say that it may very well be justified that these users need up to 5 PCs in their cube, or that you don't really want to get into that fight (whichever way you want to put it). You also say that it is very hard to run new drops. Why don't you take the approach of supporting them then, and instead of going through the work of running new drops, provide them with a small switch that runs spanning-tree. A 1548M (8-port desktop chassis) would do nicely for around $1K list. It allows for up to 4 local VLANs so the techs can do whatever they want on their own little switch. It also runs CDP so you can keep track of where they are through management tools like CiscoWorks, etc. If they want to clog up their link to the rest of the network with 5 PCs doing whatever, why not let them (as long as they do it safely)? Check here for more info on the 1548M: http://www.cisco.com/en/US/products/hw/switches/ps211/index.html HTH Greg Reaume JohnZ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL
Re: How to restrict hubs in a LAN [7:54937]
Great! Just what I needed. Thanks for the clarification. Now that I think about it, the ability to set TCP/IP properties on the 'Network Bridge' item is a dead giveaway. :) Greg Reaume Erick B. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Greg, Windows XP does this by default in some situations. If you have a PC with a Ethernet NIC and firewire adapter, it will bridge the 2 interfaces together and create a logical L3 interface that the protocols are bound to all by default. --- Greg Reaume wrote: John, If WindowsXP is bridging two NICs it actually runs spanning-tree. It is a very nice feature for L1 redundancy. Though in your scenario I don't really see why they think that's necessary. I'm planning to use this functionality in the upcoming Windows.NET server to multihome all my servers, as long as it supports the concept of a loopback or virtual interface for L3 connectivity, to two different switches to protect against 48 servers failing because a switch burns out. I just wish MS had an add-on for Windows2K Server with this functionality so I don't have to wait. Check out these links: http://www.microsoft.com/WindowsXP/pro/techinfo/administration/homenetbridge /default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/c ableguy/cg0102.asp Correct me if I'm wrong but, from what I gather in your previous postings, loops seem to be your main concern. You say that it may very well be justified that these users need up to 5 PCs in their cube, or that you don't really want to get into that fight (whichever way you want to put it). You also say that it is very hard to run new drops. Why don't you take the approach of supporting them then, and instead of going through the work of running new drops, provide them with a small switch that runs spanning-tree. A 1548M (8-port desktop chassis) would do nicely for around $1K list. It allows for up to 4 local VLANs so the techs can do whatever they want on their own little switch. It also runs CDP so you can keep track of where they are through management tools like CiscoWorks, etc. If they want to clog up their link to the rest of the network with 5 PCs doing whatever, why not let them (as long as they do it safely)? Check here for more info on the 1548M: http://www.cisco.com/en/US/products/hw/switches/ps211/index.html HTH Greg Reaume JohnZ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the
Re: How to restrict hubs in a LAN [7:54937]
Thanks for all the advice, I will try to work this with the managers see what we can come up with. As I said before this is a political mess because there are too many chiefs and few indians and unfortunately I don't have a power in the final decisions which is why things are not optimum. This was a good discussion and I will use your suggestions. Thank you all for your time Greg Reaume wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Great! Just what I needed. Thanks for the clarification. Now that I think about it, the ability to set TCP/IP properties on the 'Network Bridge' item is a dead giveaway. :) Greg Reaume Erick B. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Greg, Windows XP does this by default in some situations. If you have a PC with a Ethernet NIC and firewire adapter, it will bridge the 2 interfaces together and create a logical L3 interface that the protocols are bound to all by default. --- Greg Reaume wrote: John, If WindowsXP is bridging two NICs it actually runs spanning-tree. It is a very nice feature for L1 redundancy. Though in your scenario I don't really see why they think that's necessary. I'm planning to use this functionality in the upcoming Windows.NET server to multihome all my servers, as long as it supports the concept of a loopback or virtual interface for L3 connectivity, to two different switches to protect against 48 servers failing because a switch burns out. I just wish MS had an add-on for Windows2K Server with this functionality so I don't have to wait. Check out these links: http://www.microsoft.com/WindowsXP/pro/techinfo/administration/homenetbridge /default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/c ableguy/cg0102.asp Correct me if I'm wrong but, from what I gather in your previous postings, loops seem to be your main concern. You say that it may very well be justified that these users need up to 5 PCs in their cube, or that you don't really want to get into that fight (whichever way you want to put it). You also say that it is very hard to run new drops. Why don't you take the approach of supporting them then, and instead of going through the work of running new drops, provide them with a small switch that runs spanning-tree. A 1548M (8-port desktop chassis) would do nicely for around $1K list. It allows for up to 4 local VLANs so the techs can do whatever they want on their own little switch. It also runs CDP so you can keep track of where they are through management tools like CiscoWorks, etc. If they want to clog up their link to the rest of the network with 5 PCs doing whatever, why not let them (as long as they do it safely)? Check here for more info on the 1548M: http://www.cisco.com/en/US/products/hw/switches/ps211/index.html HTH Greg Reaume JohnZ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that
RE: How to restrict hubs in a LAN [7:54937]
John, You can enable port security on the switch ports to only allow a specific # of macs. See below: LILO#config t Enter configuration commands, one per line. End with CNTL/Z. LILO(config)#int fa0/1 LILO(config-if)#port ? block Forwarding of unknown uni/multi cast addresses group Place this interface in a port group monitorMonitor another interface networkConfigure an interface to be a network port protected Configure an interface to be a protected port security Configure an interface to be a secure port storm-control Configure storm control parameters LILO(config-if)#port security ? action action to take for security violation aging Enable Port-security aging max-mac-count maximum mac address count LILO(config-if)#port security max-mac-count ? Maximum mac address count for this secure port LILO(config-if)#port security max-mac-count 1 LILO(config-if)#port security action ? shutdown shut down the port from which security violation is detected trap send snmp trap for security violaiton LILO(config-if)#port security action shutdown Hope this helps, Daren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Zaggat Sent: Saturday, October 05, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54939t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54940t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54949t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54950t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
well, that's practically a layer 8 problem. Does your organization have a security policy that spells out to users that no - you cannot attach a hub your port? If it's not forbidden then why restrict it? You speak of administrative burden, once the troops figure out what you've done will they have recourse to a manager that can order you to let them have their hub? As is often asked here, what problem are you trying to solve? If users need more connectivity can they get it? Do you need to be looking at putting in more switches/ports? I have used port security and it works but we have a security policy that spells out - no hubs. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 11:30 PM Subject: Re: How to restrict hubs in a LAN [7:54937] Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54951t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]