Someone is plugging in a switch. How can I block it?

Discussion in 'Tomato Firmware' started by activelan, Aug 29, 2013.

  1. activelan

    activelan Reformed Router Member

    Someone on our network is plugging in a Cisco Catalyst switch and I would like to block this device. I am using Tomato Toastman 1.28

    How can I block a device (MAC Address) from appearing on my network? Thanks.
  2. koitsu

    koitsu Network Guru Member

    While you're looking for a technical explanation, I must give you something to ponder: the issue at hand is a social one -- someone is performing a non-permitted physical action. The solution should therefore not be technical but social -- the individual should be told to not do such, or physical actions taken (not technical ones) to inhibit their ability to do such. It's not only KISS principle applied, but it minimises any risk of side effects from technical solutions (i.e. if a firmware bug is encountered as a result of solution, etc.). Example: physically restricting someone from being able to plug something into your router (i.e. put router behind locked door/cabinet).

    If you still absolutely must try to solve a social problem with technology, AFAIK the only solution to this is described here (read thread slowly, up to Toastman's comment).
  3. activelan

    activelan Reformed Router Member

    Hello Koitsu and thank you for the explanation. I absolutely agree with your idea that this is a social issue and less of a technical issue. However, I have someone who I can't find plugging in somewhere on our network which is pretty big. I have suspicion that they may be setting up a monitor port and sniffing the lan.

    Whenever I walk around the various offices I never find them, and the device (same mac) often disappears around this time.

    I'll read up the link you have posted, and hopefully find some resolve. Right now our network is not setup with VLAN's and I hope I don't have to go through the trouble up setting up port specific vlans on my devices. Thanks!
  4. jerrm

    jerrm Network Guru Member

    Realize the mac you see is just the management interface of the switch. It's doubtfull blocking that specific mac will accomplish anything (assuming it is a switch and not a router). The switching functionality itself should be pretty much invisible. If the user had a non-intelligent switch, or spoofed a valid mac for the management interface, or just configured a static IP, you may never have known about it.

    Using "robocfg showmacs" from the router command line should at least tell you which port the switch connected to. It's not much, but may help track down where it is.
  5. bingo1105

    bingo1105 Networkin' Nut Member

    jerrm is correct; any MAC address associated with the switch will be related to a management interface, and blocking it will accomplish basically nothing.

    If your concern is sniffing traffic on the LAN, adding a switch to to the equation doesn't make the problem any better or worse. Plugging the switch into the network will have no ill effects, so focusing on that device rather than the user's actions isn't going to help solve your problem.

    Your challenge will be to identify the offending user and either block the device being used to sniff, or block the user from having physical access to your network.
  6. koitsu

    koitsu Network Guru Member

    Also I will point out that concerns over "packet sniffing" in this context are almost certainly overblown. Switches do not behave like hubs; if the person with the Catalyst is hooking it up to the Tomato router, all they're going to be able to see is traffic directed to devices hooked up to the Catalyst, or specific traffic between the Tomato router (on that specific LAN port) and the Catalyst. They can't see other traffic to devices on other ports. If routers used hubs instead of switches then this would be a problem (hubs simply send all traffic received on a port to all other ports; switches do not behave this way).

    I'm also a bit suspect when I hear of someone talking about their network being "pretty big" yet simultaneously is using a consumer-grade product for a router. "Pretty big" to me means thousands of devices, use of iBGP/BGP and/or OSPF, hundreds of switches with VLAN tagging/segregation, and a VPN involved here or there.

    It sounds more like you have a small business with odd-number of employees, and you're concerned about someone plugging in a device into a RJ45 jack somewhere and somehow "being able to see everything" -- it doesn't work like that.

    For situations where this happens and you want to spank the individual, it's possible to do, but you need managed switches from points A to Y (where point Z would be the offending switch/device plugged into the network). It's not that tedious; you can do it within an hour or so, or even less depending on the number of switches involved.

    I cannot help past this point.
  7. JAC70

    JAC70 Addicted to LI Member

    Your logs obviously show when the switch is connected. They should also show what IPs are assigned immediately afterward, along with the PC name and MAC address, correct? So pull the user that PC is assigned to from your inventory list, or remote in to it, or send him repeated shutdown commands if you want to mess with him first.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice