A
A
Alexey Tutubalin2019-03-14 19:11:40
Computer networks
Alexey Tutubalin, 2019-03-14 19:11:40

How to solve the problem with the locale?

There is a local area for two buildings (connected by optics + media converters) there are smart people who connect their routers to the network with their dhcp and naturally the network is hung up sometimes even loops appear, I’m tired of fighting with fines because it’s 500r (according to reports to the authorities) how can I solve this problem such a network
router (zyxel keenetic lite 3) - d-link des 1100-26 (managed) (further to another building (1) and along the current building) - (1) - d-link des 1100-26 - further on wifi points and workers PC
there are about 150 points in total and it’s not clear who would think of plugging in wifi for themselves, since it is only for the director and deputies and the signal level is very low within the office, dhcp subnet 10.0. who connects, I already thought of prescribing statics to each device with a psycho, but people who need wifi come to the boss at work (connecting to them by wire is not an option, as there are phones) and they tell them the password (I change once a month), but right now the problem is The fact is that employees disconnect the cable from their PC, connect it to their personal router and use wifi on mobile phones and even personal laptops. How to quickly calculate where the new router came from?

Answer the question

In order to leave comments, you need to log in

5 answer(s)
D
Dmitry Shitskov, 2019-03-14
@Kennius

Track by traffic - traffic from the router will have ttl lower by 1 from the standard system one.
Having calculated the mac of the adversary, we are not in a hurry, but we turn it on on the ports of the Mac Security switch with auto-learning for several days.
At the end of the training, we ban mac pests.
At the same time, you can enable a limit of 1 mac per port.

D
Dmitry, 2019-03-15
@hempy80

Configure switches with DHCP-snooping to protect against rogue dhcp servers and (R)STP to prevent loops.

C
chupasaurus, 2019-03-14
@chupasaurus

WiFi - to a separate subnet with its own DHCP, 802.1X or DHCP reserves for employees, but it won't save you from MAC address spoofing anyway :)

M
Maxim K, 2019-03-14
@mkvmaks

I can offer not an engineering option, but: you have a nodal switch somewhere - at a certain point in time, collect statistics with mac addresses (permanent) for 2-3 days. Further, if a "left" mac appears, add it to the ACL rules on the host switch, then stupidly someone will complain - look at what kind of device. LoopBack Detection (LBD) must also be enabled for loops.

A
AntHTML, 2019-03-18
@anthtml

If all your switches are managed/customizable, then I don’t see any problems at all
1. wi-fi points and wi-fi clients in a separate vlan, you can also have a couple of guest sockets in the boss and admin office
2. computers in vlans, Mac Security and DHCP there with reference to the MAC-list 3. on wi
-fi points - isolation of clients (backbone network)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question