I would like to find out if there is a good way to prevent or alert when someone adds a switch or hub to a port that should only have a PC and/or VoIP phone?
The right answer would be "Use port security". The best answer would be "Use 802.1x authentication".
Thanks. I checked a little of both and I may just try the Port security. Any things to watch out for? Would I set the max mac-addresses to be 2 if I have a phone and PC? Also, I don't want to lock it to a specific Mac-address as I have people change offices what would be the best way to do that? Also can I set it up so the first mac-address is the one that can pass traffic but any others the traffic just gets droped, I don't want to shut the port down?
Yup, you can configure it so port learns first mac address in use and stick to it as long as it's active and then either age it out or keep for always.
To cause port just to drop traffic from consecutive learned mac addresses:
2 mac addresses for PC+phone are also correct though it may raise some obvious issues if you won't configure static mac addresses on port.
For mobile users 802.1x is an ace. :)
You can connect some other devices instead of regular ones if there is no static mac or sticky mac ages out.
And the previous poster has a very good point, router will hide everything hidden behind it, so you kind of need static macs or sticky ones which do not age.
You might also want to investigate setting the TTL such that when someone plugs in a SOHO router (because now they'll need to NAT to get extra ports)the TTL will expire (one more router, TTL decrements, hits zero ... no connection)
Sometime you have to get extreme to foil the determined users ....
Good Luck, Happy Holidays!
I need some help understanding this one. Where can I find more information on the TTL settings so I don't cause issues with the Phones or the PC that is supposed to be connected.
Also are there any gotch ya's?
The only real gotcha is administrative; you pretty much have to tailor the TTL for each branch of the network (or, at least the ones you want to control ... not all branches require strict control ... think "Your Boss, your Bosses' boss, etc).
Unless your network is of consistent radius / hops-per-branch, you'd need to tweak them individually.
If you traceroute from a host in each branch, you'll get an idea of where to start your TTL count. If it takes 3 hops to hit the gateway, a TTL of three should be your number.
Also ... TTL for INBOUND ONLY ... an outbound TTL setting would limit your reach for Internet access. In that vein, if you wanted to limit access to your internal network / Intra-net and have designed to that end (i.e., central resources are a consistent hop count from each client), you can restrict access to the internal network by limiting the outbound (from the host) TTL ... it might save you some ugly ACL work.
Everyone's networks are different, ya gotta go with what works for you.
Good Luck, Happy Holidays!
PC+Phone requires a minimum of 3 MAC Addresses. There is the MAC of the PC, the MAC of the switchport on the phone, and the MAC of the PC port on the phone. ou need to change port-security to a maximum of 3 MAC addresses.