Re: How to restrict hubs in a LAN [7:54937]
Thanks for the details, Chuck. The number of MAC addresses that a switch can learn can indeed be an issue, although the number tends to be pretty big these days. It's helpful to know that the actual number depends on features that are enabled, amount of memory, etc. It's worth giving some thought to what happens if a switch can't remember all the addresses that it sees... Thought. Thought. and doesn't store all the addresses in a bridging table that says which port to use Thought. Thought. The switch floods! When frames arrive with a destiation MAC address that is not in the bridging table, the switch must flood the packet out all interfaces. Needless to say, this wastes bandwidth. Here's a story from Troubleshooting Campus Networks: One of the authors was called in to troubleshoot a hospital campus network consisting of several buildings, star-connected back to a central data center. Each remote building had an edge switch with a fiber connection back to the data center. In the data center it was found that entire bidirectional conversations between clients in remote buildings and servers in the same remote building were visible on the data center backbone. At first it was thought that the forwarding path between a client and server was extending through the data center somehow, which was not the intent of the network design. Upon further analysis, it was discovered that the switches used in the remote buildings only supported 256 MAC addresses in the bridging tables. Consequently, with over 500 users in each remote building, it was common for many addresses to become unknown. The recommendation was made to replace the remote building switches with ones having greater capacity, thereby eliminating the unnecessary traffic on the data center backbone. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Chuck's Long Road wrote: Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Daren Presbitero wrote: Isn't there a limitation on the number of MACs that a port will handle? Probably, but I bet the number is way bigger than he needs to worry about. There's probably a max number of addresses for generic learning purposes CL: in case anyone is interested, the max number of macs supported on any of the Cisco switches is fluid, depending on other features turned on, amount of memory, etc. . The 3550 documentation states that depending upon the SDM template that is active, one may have anywhere from 2,000 to 12,000 unicast MAC's in the CAM table. I am assuming this means that if you have lots of hubs and switches daisy chanined down the line, that the MAC's of end stations will show up in the root switch CAM. Obviously, if all you have are end stations in a single switch, that number is smaller. CL: this does bring up a good point about size ( number of devices - servers, PC's, and other switches ) in a bridged network. and a max number related to port security, which appears to be 132 from an earlier post. There's also the issue of how many MACs can eat up all of the available 100 Mbps, but once again, that's the user's problem. Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? All the MAC addressess behind the hub will be visible to all the switched ports. Is that what you're getting at? It's a good point. The learning process will need to know about all the MACs. But the max number of MAC addresses that a switch can learn is large and not something he needs to worry about. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Co
Re: How to restrict hubs in a LAN [7:54937]
David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55028t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondiscl
Re: How to restrict hubs in a LAN [7:54937]
situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ [EMAIL PROTECTED] __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55036t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to restrict hubs in a LAN [7:54937]
Isn't there a limitation on the number of MACs that a port will handle? Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any
RE: How to restrict hubs in a LAN [7:54937]
Daren Presbitero wrote: Isn't there a limitation on the number of MACs that a port will handle? Probably, but I bet the number is way bigger than he needs to worry about. There's probably a max number of addresses for generic learning purposes and a max number related to port security, which appears to be 132 from an earlier post. There's also the issue of how many MACs can eat up all of the available 100 Mbps, but once again, that's the user's problem. Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? All the MAC addressess behind the hub will be visible to all the switched ports. Is that what you're getting at? It's a good point. The learning process will need to know about all the MACs. But the max number of MAC addresses that a switch can learn is large and not something he needs to worry about. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - F
Re: How to restrict hubs in a LAN [7:54937]
Priscilla Oppenheimer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Daren Presbitero wrote: Isn't there a limitation on the number of MACs that a port will handle? Probably, but I bet the number is way bigger than he needs to worry about. There's probably a max number of addresses for generic learning purposes CL: in case anyone is interested, the max number of macs supported on any of the Cisco switches is fluid, depending on other features turned on, amount of memory, etc. . The 3550 documentation states that depending upon the SDM template that is active, one may have anywhere from 2,000 to 12,000 unicast MAC's in the CAM table. I am assuming this means that if you have lots of hubs and switches daisy chanined down the line, that the MAC's of end stations will show up in the root switch CAM. Obviously, if all you have are end stations in a single switch, that number is smaller. CL: this does bring up a good point about size ( number of devices - servers, PC's, and other switches ) in a bridged network. and a max number related to port security, which appears to be 132 from an earlier post. There's also the issue of how many MACs can eat up all of the available 100 Mbps, but once again, that's the user's problem. Won't hubs share all those macs with each port, and possibly cause the max limit to be reached? All the MAC addressess behind the hub will be visible to all the switched ports. Is that what you're getting at? It's a good point. The learning process will need to know about all the MACs. But the max number of MAC addresses that a switch can learn is large and not something he needs to worry about. ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 07, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] David j wrote: See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. Collisions are only a problem for the hubbed network that the user made for him/her self. The switched network is isolated from the collisions (with the exception of the one switch port that connects the user's hub). I say, let 'em do it! What's the harm? Don't you have way more bandwidth than you need anyway?? ;-) A lot of companies do. Reference the disussion of Cisco stock. Nobody's buying, because, guess what, we don't need it!?? Tech support is an issue, though, of course, for example, the user that is clueful enough to know he/she needs a hub but not clueful enough to select the right cable (x-over versus s/t) and duplex mode. Well a hub should defaul to half, but a lot of devices that are marketed as hubs are really switches or bridges. But could you say they aren't supported rather than out right disallowing them? Is there a comprosmise somewhere?? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are ther
Re: How to restrict hubs in a LAN [7:54937]
See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54954t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54956t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.co
Re: How to restrict hubs in a LAN [7:54937]
By default a port can learn 132 mac addresses on most switches. This can be restricted by the Port Secure Max-mac-count (1-132) command. If this is set to 1 it will not accept any additional Macs on the port. From: JohnZ Reply-To: JohnZ To: [EMAIL PROTECTED] Subject: Re: How to restrict hubs in a LAN [7:54937] Date: Sun, 6 Oct 2002 06:52:05 GMT Well, when I wrote the orginal post I knew I will have these questions. Basically the first layer of support or help desk if you will have more PCs then the drops in their cubes. This is an old building not meant for an IS staff so there is some frustration on their part. I am not going to question if there is a legit need for folks to have 5 PCs when there is infact a seperate staging area to set up and test pcs for users. Any ways they know enough to be dangerous and there is no standard on hubs and I have seen where folks have created loops. Now with Windows XP I have seen some configs where 2 nics have been bridged via software I am not sure with what intent. Although it's been made clear many times not to use hubs but this is never enforced and I did not want to spend my time daily trying to hunt down the lawless. So that's when I thought if I could config the switch this will discourage the hub usage or bridging within pcs. I hope that answers most of the questions here. David j wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... See inline.. Chuck's Long Road wrote: as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? I see one issue: collisions, if you have a switched network you don't want to deal with collisions that hubs normally produce. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden.
Re: How to restrict hubs in a LAN [7:54937]
en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54974t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ [EMAIL PROTECTED] __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54978t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
t questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ [EMAIL PROTECTED] __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54980t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
. I have to recognize, though, that hubs sometimes are very convenient and I'm the first on using them. when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? In some environments it's politically unacceptable, I know some hospitals in which you have to fill in a lot papers before being allowed to use a PC, so in that environments this could perfectly be part of the policy. I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ [EMAIL PROTECTED] __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54983t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How to restrict hubs in a LAN [7:54937]
I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54937t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to restrict hubs in a LAN [7:54937]
John, You can enable port security on the switch ports to only allow a specific # of macs. See below: LILO#config t Enter configuration commands, one per line. End with CNTL/Z. LILO(config)#int fa0/1 LILO(config-if)#port ? block Forwarding of unknown uni/multi cast addresses group Place this interface in a port group monitorMonitor another interface networkConfigure an interface to be a network port protected Configure an interface to be a protected port security Configure an interface to be a secure port storm-control Configure storm control parameters LILO(config-if)#port security ? action action to take for security violation aging Enable Port-security aging max-mac-count maximum mac address count LILO(config-if)#port security max-mac-count ? Maximum mac address count for this secure port LILO(config-if)#port security max-mac-count 1 LILO(config-if)#port security action ? shutdown shut down the port from which security violation is detected trap send snmp trap for security violaiton LILO(config-if)#port security action shutdown Hope this helps, Daren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Zaggat Sent: Saturday, October 05, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54939t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54940t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54949t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
as much of a rulemeister as I am, I still have to look at this from the user standpoint. Why are users throwing their own hubs onto the network? Is there a business case to be made? Is facilities too slow getting requested cable pulls done? what is the concern with a user plugging a hub in at the desk and then connected a couple of extra PC's? if the problem is one of dual homing by accident or otherwise, I can see the issue with spanning tree recalculations. But in a single home situation, what do you see as the issues? when you say that politically, it's a mess what does that mean? high powered sales people throwing their weight around? management does not respect your input or concerns? something bad is happening, and it's rolling downhill? I'm not questioning the wisdom or the necessity for doing what others have suggested. I'm just wondering why it is necessary for the network manager / network staff to unilaterally cut off user access. John Zaggat wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54950t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: How to restrict hubs in a LAN [7:54937]
well, that's practically a layer 8 problem. Does your organization have a security policy that spells out to users that no - you cannot attach a hub your port? If it's not forbidden then why restrict it? You speak of administrative burden, once the troops figure out what you've done will they have recourse to a manager that can order you to let them have their hub? As is often asked here, what problem are you trying to solve? If users need more connectivity can they get it? Do you need to be looking at putting in more switches/ports? I have used port security and it works but we have a security policy that spells out - no hubs. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 11:30 PM Subject: Re: How to restrict hubs in a LAN [7:54937] Thanks guys that's pretty good information, but do you think in your opinion is that good approach to deal with this problem. Do you see any caveats and are there any other ways this can be dealt with. Kevin Wigle wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... take a look into Port Security. http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a008007f2dd.html In the event of a security violation, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Kevin Wigle - Original Message - From: John Zaggat To: Sent: Saturday, October 05, 2002 5:01 PM Subject: How to restrict hubs in a LAN [7:54937] I am just trying to think of how to restrict Hubs from being used in the LAN. Politically it's a mess and despite a lot of discussions certain people are able to add hubs at will where ever they want. So I was trying to think of a way to stop that within the switch. Now normally these ports that the hubs are connected to show several mac addresses when I do show cam which gives me an idea is there any way to restrict host ports to only accept one mac-address. I don't want to hardcode the mac-address because that would be too much a administrative burden. But if I could restrict the port to accept just one mac-address then that will make these hubs useless. Well anyways let me know if I am way off here but are there any other tricks in use by any of you guys. I'll appreciate any pointers. JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54951t=54937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]