The switch under Sarah's desk

The five-port unmanaged switch under Sarah's desk isn't on any network diagram. IT has never seen it. Your firewall can't control what flows through it.

We find them everywhere. Tucked behind printers. Velcroed under desks. Plugged into wall outlets that should be data-only but somehow ended up carrying production traffic.

They multiply because they solve an immediate problem: not enough ports where someone needs them. The person who bought it on their corporate card isn't trying to bypass security. They're trying to get their job done.

That switch creates a network segment your security controls have never touched. No VLAN enforcement. No access logging. No patch management. Discovery has to come before detection means anything.

Why your controls don't reach it

If someone plugs a compromised device into that switch, your network monitoring will see the traffic but not the entry point. Endpoint detection tools protect known assets. MAC address tracking alerts you to unknown addresses on known ports. Neither reaches an unmanaged switch on a port nobody is watching — because nobody knows the switch exists.

An unmanaged switch that nobody knows about is also a potential collection point sitting inside your perimeter. It doesn't just create a connectivity gap — it creates a silent monitoring point for anyone who knows it's there.

802.1x, BPDU Guard, MAC sticky — these are all valid controls. The gap is that those settings require someone to know the switch exists before they can enforce anything against it. The A+ cert didn't install it. Sarah from accounts did.

From the LinkedIn conversation — 7,997 impressions · 54 comments
CM
Chris Murray
Principal Site Reliability Engineer, Oracle
I enjoy all the "easy way is" explanations. All of these 802.1x and sticky mac ideas are moot when the IT team has no ability to implement and support. 802.1x is not easy to implement.
David Barrett
Chris, this is the most honest comment on this thread. The controls that look good on paper require capability, maintenance and discipline to actually work. Most environments have none of the three consistently applied. That's exactly why physical discovery still matters.
SB
Shawn Brown
IT Professional
One of the locations I worked at had it there because without it they couldn't get network traffic across at all. After removing it, I found out why it had been installed in the first place.
David Barrett
Shawn, that's a perfect example. The switch wasn't the problem, it was covering for one. Remove it without knowing why it's there and you've just made things worse. That's why the walk and the documentation matter as much as the fix.
CP
Christian Palecek
Grizzly Broadband LLC
Fair points on the managed switch controls. But "a few balls dropped" describes most of the brownfield environments you walk into. The controls exist in theory.
David Barrett
Christian, exactly right. The documentation, monitoring and enforcement often don't exist. That's the gap.

What the physical layer actually looks like in brownfield environments

The controls exist in theory. In most brownfield environments we walk into, the documentation, monitoring and enforcement don't. That's not a reflection on the IT team — it's a reflection on how infrastructure accumulates over time without a systematic record of what changed, when, and why.

In JIT manufacturing environments, the tolerance for undocumented infrastructure is zero when the line stops. In enterprise offices, the problem builds quietly until something breaks or someone finds it during an audit or incident investigation.

No VLAN enforcement

Traffic on an undocumented switch sits outside your segmentation architecture entirely. It flows where the physical cable takes it.

No access logging

Devices connecting through an unmanaged switch don't generate authentication events. There's nothing to alert on and nothing to audit.

No patch management

An unmanaged switch can't be patched, monitored, or configured remotely. Its firmware is whatever it shipped with.

Unknown entry point

Under the Privacy Act amendments, a breach investigation will ask how an unauthorised device gained network access through undocumented infrastructure.

Discovery has to come before detection

Asset tracking tools help once you know what to track. Automated discovery helps once you know the topology to discover against. Neither replaces a physical walk. If a device can impersonate an HP printer on a network scan, no amount of MAC tracking catches it. Someone has to physically walk the floor.

The question isn't whether your controls are good. It's whether your documentation is current enough for those controls to actually reach everything they're supposed to reach.

How much of your network exists only in someone's desk drawer memory?

Frequently asked questions

How do you find undocumented switches during a Layer 1 audit?

Physical walkdown of every accessible cable run, outlet, and communications space. We're looking for anything connected that isn't reflected in existing documentation — switches, patch panels, active devices, and physical runs that don't appear on any drawing. The walk is the only method that reliably catches devices that are invisible to network scanning.

Does removing an undocumented switch always fix the problem?

Not necessarily. In many cases, the switch is compensating for a port shortage or a physical infrastructure gap. Removing it without understanding why it was installed can create a new problem. The audit identifies it, documents the context, and gives you an informed remediation path rather than a blind removal.

What does a Layer 1 audit actually deliver?

Accurate as-built documentation of your physical infrastructure — cabling, switching, active devices, pathways, and access points — cross-referenced against existing records to identify gaps. It gives your security and IT teams a verified baseline to work from. See our Layer 1 Network Audit page for full scope and deliverables.

Is this a problem specific to older buildings?

No. We find undocumented devices in buildings of all ages. It's a function of how infrastructure accumulates — small changes made by different people over time, none of which get recorded consistently. New buildings become brownfield environments faster than most IT teams expect.