11-20-2017 04:12 PM
just replaced our network gears with Aruba 2930f. I had gone through all basic security such as DHCP snooping, DHCP trusted port and BDPU. One thing I don't know if I am able to shut down the sw port if someone uses wireless routers or rouge routers to connect our network? For now, when I plugged in my WAN port from wireless router to the 2930f switch port; wireless router did not create any network problem. But when I connected my laptop to wireless router and got IP from the router; I'm still able to ping or routing to corporate subnets. Is there any way to avoid that? I can create access list but I want to see if there is any Aruba CLI would solve this problem.
Solved! Go to Solution.
11-22-2017 02:36 PM - edited 11-22-2017 02:43 PM
Without proper port authentication (802.1x) and/or profiling you will not solve the problem. Using ClearPass for network access control en policy enforcement can help you.
The router you placed in the network will get an IP address and probably NAT the traffic of the client connected to you wireless router.
Another method to detect NAT devices on the network http://www.sflow.org/detectNAT/. The downside is that you need to have an sFlow collector for detecting. Also you want to automate disabling ports when a rogue NAT device has been detected. Implementing network access control is probably a more easy and reliable direction.