nanog mailing list archives
Re: Application or Software to detect or Block unmanaged swicthes
From: Jimmy Hess <mysidia () gmail com>
Date: Thu, 7 Jun 2018 05:27:00 -0500
On Thu, Jun 7, 2018 at 3:57 AM, segs <michaelolusegunrufai () gmail com> wrote: [snip]
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The NETWORK management team of your own company? The answer is adequate change controls, policy, procedures, technical auditing (Such as logging of all CLI commands), and mandatory training with clearly-communicated in advance severe consequences for violators of the compulsory security policy that all switches must be of X type and configured according to Y process before being connected to the network, signed off by management. There are technical controls that can be implemented to help prevent/ mitigate end users from attaching an unauthorized switch to a normal access port, But as you mention... clearly an employee on the NETWORKING team can likely just configure a port as Trunk and circumvent any technical protections. Two methods that could effectively prevent End Users (not Network/IT team) from connecting unmanaged switches would be: * Port-security feature common on many managed switches that allow you to limit the number of MAC Addresses that can use a port to 1 or given number of MAC addresses. (Use a short MAC address aging time such as 30 seconds to allow people to unplug and plug a different device in, but a low MAC address account and Err-Disable violation to kill the port if a Switch is connected) * 802.1x Wired Port Security - More detailed system that requires a PKI + RADIUS server infrastructure and authentication by every client to every port. -- -JH
Current thread:
- Application or Software to detect or Block unmanaged swicthes segs (Jun 07)
- Re: Application or Software to detect or Block unmanaged swicthes Nick Hilliard (Jun 07)
- Re: Application or Software to detect or Block unmanaged swicthes Jimmy Hess (Jun 07)
- Re: Application or Software to detect or Block unmanaged swicthes Matthew Pounsett (Jun 07)
- Re: Application or Software to detect or Block unmanaged swicthes Jason Hellenthal (Jun 07)
- Re: Application or Software to detect or Block unmanaged swicthes Mel Beckman (Jun 07)
- Re: Application or Software to detect or Block unmanaged swicthes David Hubbard (Jun 08)
- Re: Application or Software to detect or Block unmanaged swicthes Eric Kuhnke (Jun 08)
- Re: Application or Software to detect or Block unmanaged swicthes Mel Beckman (Jun 08)
- Re: Application or Software to detect or Block unmanaged swicthes Owen DeLong (Jun 08)
- RE: Application or Software to detect or Block unmanaged swicthes Christopher J. Wolff (Jun 08)
- Re: Application or Software to detect or Block unmanaged swicthes Kasper Adel (Jun 08)
- Re: Application or Software to detect or Block unmanaged swicthes Ben Cannon (Jun 08)
- Re: Application or Software to detect or Block unmanaged swicthes Mel Beckman (Jun 07)