On Thu, Jun 7, 2018 at 3:57 AM, segs <michaelolusegunrufai@gmail.com> wrote: [snip]
Please I have a very interesting scenario that I am on the lookout for a solution for, We have instances where the network team of my company bypass controls and processes when adding new switches to the network.
The NETWORK management team of your own company? The answer is adequate change controls, policy, procedures, technical auditing (Such as logging of all CLI commands), and mandatory training with clearly-communicated in advance severe consequences for violators of the compulsory security policy that all switches must be of X type and configured according to Y process before being connected to the network, signed off by management. There are technical controls that can be implemented to help prevent/ mitigate end users from attaching an unauthorized switch to a normal access port, But as you mention... clearly an employee on the NETWORKING team can likely just configure a port as Trunk and circumvent any technical protections. Two methods that could effectively prevent End Users (not Network/IT team) from connecting unmanaged switches would be: * Port-security feature common on many managed switches that allow you to limit the number of MAC Addresses that can use a port to 1 or given number of MAC addresses. (Use a short MAC address aging time such as 30 seconds to allow people to unplug and plug a different device in, but a low MAC address account and Err-Disable violation to kill the port if a Switch is connected) * 802.1x Wired Port Security - More detailed system that requires a PKI + RADIUS server infrastructure and authentication by every client to every port. -- -JH