0

I need to connect several machines to the internet for work purposes. However, each workstation only has 1 LAN port. To get around this, I tried to connect a switch to the LAN port to "grab" multiple links from the LAN port. The setup goes something like this :

Internet <---> CISCO SWITCHES <---> Workstation LAN port <---> My switch <---> My systems

I soon realized each LAN port could only support a limited number of links, and that this was a hard limitation imposed by the IT department at the cisco switch level. They had set a limit on the number of MAC addresses each LAN port would support, beyond which it would start dropping links.

I had a brief chat with the network administrator, who only had the time to explain briefly that the spanning tree on the switches might go nuts and potentially bring down the entire network if he did not have the limitation in place.

My limited understanding of STP is that it is used to prevent loops in a switched network. But how would my proposed setup potentially bring down the entire network without the MAC address limitation?

peonicles
  • 103
  • 3
  • 1
    I suspect he was thinking of this. http://en.wikipedia.org/wiki/MAC_flooding – Zoredache Sep 11 '13 at 16:29
  • I think he's got his "Spanning Tree" and "Port Security" confused. Spanning Tree will disable the switch port *if it detects a loop*. Port Security sets a limit on the number of mac addresses allowed on the port. – fukawi2 Sep 12 '13 at 08:03

3 Answers3

3

When your company is large enough to employ 'CISCO SWITCHES' it is probably large enough that the IT department can't support every bob, tom, and harry plugging what ever network equipment and rogue devices that they think belong on the network.

You're going to have to work with the IT Department if this is for work.

Specifically, to answer the question in your subject: When rogue network gear is allowed on the network, 'power users' are quick to do silly things like looping a hub, inserting a rogue dhcp server, etc. By controlling the number of devices at each 'port' (We are talking access level switches in a cisco world here), the IT department can keep track of what is where and who is doing what without the hassle of a bunch of users doing things they claim they would never do.

It may not be the best solution to the problem, (Especially in a world of byod) but that is what the IT department has chosen to do. Your next steps should be to demonstrate a business need for the workstations to be connected to the network and ask IT for a solution.

Daniel Widrick
  • 3,488
  • 2
  • 13
  • 27
  • From your answer, this is more of an attempt to prevent users from doing stupid things rather than a technical issue. So, bandwidth issues aside, can I grab a my 24 port switch, connect 1 port on it to the LAN port, and connect 23 other systems to my switch? Would this cause any major issues to the wider network? – peonicles Sep 12 '13 at 11:22
  • That depends on: your 24 port switch, and the other 23 systems. Install a sane switch and 23 systems that don't otherwise wreck the network, it it should be ok... Technically speaking. But now, you have introduced an 'access point' to the most likely 'secured' network that is not managed and known by IT. This presents a security concern. If you are up front with the IT department about your needs, can demonstrate a business need, and can be trusted to not do silly things, they should be willing to work with you. If not, You'll need to work with management. If that stalls, I'm sorry. – Daniel Widrick Sep 12 '13 at 17:08
1

Using 802.1X / mac learning on the switch ports is common.

It's a security feature more so than a "flood mitigation" feature. Most of the time when it is deployed it has nothing to do with being concerned with someone "overwhelming the network. IT simply wants to limit the port to prevent things like a user bringing in their 10 home devices and connecting to the network. MAC learning is one of the easier things to deploy. 802.1X authentication and certificates can be done as well.

If the need is valid, IT can remove or increase the mac-learning limit on that particular LAN port.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • True - but dot1x does make a little more work than just lock down ports... I'd be more than happy to have proper security on all networks, but experience tells: less then 5%... – Truebsalgeblaese Sep 12 '13 at 06:51
0

This might be not the very best way to make one's network more reliable - but a quite effective one - and one that does not make too much work.

In my experience, about half of the network-problems I am called to have a quite easy reason: some dump 5-8port Switch (not STP-capable and loop aware) where someone "just plugged in some tests"...

Identity this port, shutdown it and just wait for the cuplprits to complain :-)

But I do get called only after long hours of odd network behaviour, so the admin get some lectures on basic lockdowns - make sure there is STP all around, loop-guard, bpdu-guard, ... - and do limit mac-adresses where there is need for it.

tsg

Truebsalgeblaese
  • 364
  • 1
  • 4