1

We have a medium-sized network of 600 users, all on Cisco switches. Where the users are allowed to plug in routers, etc. on the endpoints, so that they can use wireless and/or multiple devices in their rooms.

The problem is that we are experiencing instability issues on one of the VLANS (a rather large one). DHCP server should be working fine, as the other VLANS are fine. The weird thing is that this occurs in bursts where the internet is reported to be 'slow', something which have not been reported before. These incidents have not been happening on our current configuration before, and we have not changed the configuration. DNS is also fine, so that's out of the question.

There is however a lot of people that have been moving into these buildings, and they might have plugged some equipment that may be causing this issue.

We are using STP with Portfast and BPDUGuard enabled.

Questions;

  1. What are some good ways to troubleshoot these kinds of issues?
  2. What are some good mechanisms in Cisco iOS to prevent routers having the ability to advertise rogue routes

Thank you!

John Darke
  • 11
  • 2
  • *STP on? Did you try monitoring the traffic (also broadcast traffic) when the internet was "slow"? Ethernet loop? P2p (torrent,...) traffic? Any other large downloads? ... – mulaz Jan 09 '14 at 13:17
  • Sounds like a terribly hostile environment. College dorm? – Evan Anderson Jan 09 '14 at 13:22
  • @EvanAnderson yes, it's a college dorm. Very hostile indeed. – John Darke Jan 09 '14 at 13:23
  • @mulaz yes, using STP Portfast, and BPDU guard. Bandwidth shouldn't be the issue. Ethernet loop shouldn't be the case with STP. – John Darke Jan 09 '14 at 13:24
  • Forgive me for saying so, but you shouldn't expect to have order if you don't impose order. It's like leaving your young kids home alone and then asking how you can prevent them from trashing the house. You can't have your cake and eat it too. – joeqwerty Jan 09 '14 at 15:49
  • Check into DHCP snooping, it might help users from connecting a 'home' style router incorrectly and advertising a default gateway into your network. Also port-security in restrict mode with a high (10?) device count could be useful for you too. – cpt_fink Jan 14 '14 at 04:17

1 Answers1

0

I'd prevent users from breaking the network out in their own rooms by forcing them to register each device they want to connect, and implement 802.1x (either full 802.1x, or MAC Authentication Bypass mode).

That'll cut down on a lot of crap for starters.

Then start breaking the network down into smaller chunks, turn on netflow and get some proper data to analyse. It's all very well the users saying they perceive it to be slow, but without some instrumentation, and experimental results, it's impossible to say if they're telling the truth, or yanking your chain.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148