Solved

Lock down switches/network ports

Posted on 2010-09-09
13
773 Views
Last Modified: 2012-06-27
Hi,

We have a number of network ports connected to a switch that we wish to lock down so that users cannot plug their own DHCP routers into and possibly cause conflicts on our network.

We're happy for them to wirelessly enable their own apartment/room so that they can use multiple devices on that network port but we don't want to get to a situation where their equipment is offering out IP addresses to other equipment on the same network.

Is there an easy way to achieve this? We have HP switching everywhere.

Thanks in advance.
0
Comment
Question by:itmtsn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
13 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 33637907
Well, first of all if they connect to the correct port (the WAN/Internet) on their equipment it should not happen.  Home DSL routers don't do DHCP serving on the WAN/Internet port, the only do it on the "switch ports."

However, I'm not sure you can do it.  You would need to be able to block bootp responses coming into your switch ports and I'm not sure you can do that.

0
 
LVL 3

Accepted Solution

by:
kf4zmt earned 125 total points
ID: 33638058
You could assign each switch port into it's own vlan.  This means you'd have as many vlans as you have switch ports.  Since each vlan is a separate broadcast domain, you'd be stopping the dhcp broadcast from going anywhere else.  This isn't a very elegant solution, but it would work unless you must have all the rooms in one vlan for some reason.  There may be a better solution, but this is the first that comes to mind with the information given.

0
 
LVL 12

Expert Comment

by:naykam
ID: 33638206
HP has a feature called spanning tree (even though the firmware written by hp isn't the best)

google it because its fairly in-depth, but in a nutshell. Any port on the switch with spanning tree enabled will shutdown if a device attempts to provide DHCP (from an unauthorised source such as client router) - Im pretty sure its exactly what your are after.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 57

Expert Comment

by:giltjr
ID: 33638286
Spanning tree has nothing to do with DHCP.  What spanning tree is designed to do is prevent loops within the network.  That switch A connects to switch B and B connects to C and C connects to A.  There is a loop and spanning tree will shut down either the A to C or the A to B connection.

Now using VLAN's is an good idea, if your switches support more VLAN's than you have rooms.  The other thing you could do if you used VLAN's is block the room VLAN's from communicating with each other.  That way virus can't spread from one room to another and people can't break into computers in other rooms.
0
 
LVL 12

Expert Comment

by:naykam
ID: 33638357
Sorry I do stand correct, Let me find what I am actually trying to refer to
0
 
LVL 23

Expert Comment

by:Brian B
ID: 33638364
Further to giltjr's post, DHCP itself is not routable. That's why those consumer-grade routers are not as big a threat. Having said that, if they plugged the uplink to your network into the switch rather than the WAN port, it could still cause problems.
0
 
LVL 12

Expert Comment

by:naykam
ID: 33638417
correction: DHCP snooping
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 125 total points
ID: 33638717
Assuming you have HP Procurves you can follow this to code the DHCP snooping that naykam mentioned.

http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S12_ProCurve-DHCP-snooping-final.pdf
0
 
LVL 12

Assisted Solution

by:naykam
naykam earned 125 total points
ID: 33642155
Yea DHCP snooping does work well. But it also does requires a bit of config, basically because you have to configure per port

Here is an overview: http://en.wikipedia.org/wiki/DHCP_snooping

Another doc on snooping: http://goo.gl/vA0i

Its basically along the lines of:

dhcp-snooping
dhcp-snooping authorized-server [ip-addr]
dhcp-snooping vlan [vlan]
no dhcp-snooping option 82
dhcp-snooping trust [interface]
0
 
LVL 12

Expert Comment

by:naykam
ID: 33653394
how did you go?
0
 

Author Comment

by:itmtsn
ID: 33662575
Hi :)

Thanks for all the suggestions. We're just working through them to see what offers us the best solution. I'll get back to you soon.

Thanks again!
0
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 125 total points
ID: 33672388
what kind of switches are you running on your network?

you can use port security and specify just the first learned mac address from a device access to that port, any other device that attempts to connect will be blocked because the mac address does not match the already learned mac address, of course this works on cisco switches, i'm sure other switches may have similar port security settings you can use.
0
 

Author Closing Comment

by:itmtsn
ID: 33692596
All four solutions are valid so have split the points four ways :) Hope that's fair.

We have decided to go with the last suggestion and use port security and lock down each port to the first mac address.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question