Solved

Lock down switches/network ports

Posted on 2010-09-09
13
768 Views
Last Modified: 2012-06-27
Hi,

We have a number of network ports connected to a switch that we wish to lock down so that users cannot plug their own DHCP routers into and possibly cause conflicts on our network.

We're happy for them to wirelessly enable their own apartment/room so that they can use multiple devices on that network port but we don't want to get to a situation where their equipment is offering out IP addresses to other equipment on the same network.

Is there an easy way to achieve this? We have HP switching everywhere.

Thanks in advance.
0
Comment
Question by:itmtsn
  • 5
  • 3
  • 2
  • +3
13 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Well, first of all if they connect to the correct port (the WAN/Internet) on their equipment it should not happen.  Home DSL routers don't do DHCP serving on the WAN/Internet port, the only do it on the "switch ports."

However, I'm not sure you can do it.  You would need to be able to block bootp responses coming into your switch ports and I'm not sure you can do that.

0
 
LVL 3

Accepted Solution

by:
kf4zmt earned 125 total points
Comment Utility
You could assign each switch port into it's own vlan.  This means you'd have as many vlans as you have switch ports.  Since each vlan is a separate broadcast domain, you'd be stopping the dhcp broadcast from going anywhere else.  This isn't a very elegant solution, but it would work unless you must have all the rooms in one vlan for some reason.  There may be a better solution, but this is the first that comes to mind with the information given.

0
 
LVL 12

Expert Comment

by:naykam
Comment Utility
HP has a feature called spanning tree (even though the firmware written by hp isn't the best)

google it because its fairly in-depth, but in a nutshell. Any port on the switch with spanning tree enabled will shutdown if a device attempts to provide DHCP (from an unauthorised source such as client router) - Im pretty sure its exactly what your are after.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Spanning tree has nothing to do with DHCP.  What spanning tree is designed to do is prevent loops within the network.  That switch A connects to switch B and B connects to C and C connects to A.  There is a loop and spanning tree will shut down either the A to C or the A to B connection.

Now using VLAN's is an good idea, if your switches support more VLAN's than you have rooms.  The other thing you could do if you used VLAN's is block the room VLAN's from communicating with each other.  That way virus can't spread from one room to another and people can't break into computers in other rooms.
0
 
LVL 12

Expert Comment

by:naykam
Comment Utility
Sorry I do stand correct, Let me find what I am actually trying to refer to
0
 
LVL 23

Expert Comment

by:Brian B
Comment Utility
Further to giltjr's post, DHCP itself is not routable. That's why those consumer-grade routers are not as big a threat. Having said that, if they plugged the uplink to your network into the switch rather than the WAN port, it could still cause problems.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 12

Expert Comment

by:naykam
Comment Utility
correction: DHCP snooping
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 125 total points
Comment Utility
Assuming you have HP Procurves you can follow this to code the DHCP snooping that naykam mentioned.

http://h40060.www4.hp.com/procurve/uk/en/pdfs/application-notes/AN-S12_ProCurve-DHCP-snooping-final.pdf
0
 
LVL 12

Assisted Solution

by:naykam
naykam earned 125 total points
Comment Utility
Yea DHCP snooping does work well. But it also does requires a bit of config, basically because you have to configure per port

Here is an overview: http://en.wikipedia.org/wiki/DHCP_snooping

Another doc on snooping: http://goo.gl/vA0i

Its basically along the lines of:

dhcp-snooping
dhcp-snooping authorized-server [ip-addr]
dhcp-snooping vlan [vlan]
no dhcp-snooping option 82
dhcp-snooping trust [interface]
0
 
LVL 12

Expert Comment

by:naykam
Comment Utility
how did you go?
0
 

Author Comment

by:itmtsn
Comment Utility
Hi :)

Thanks for all the suggestions. We're just working through them to see what offers us the best solution. I'll get back to you soon.

Thanks again!
0
 
LVL 7

Assisted Solution

by:GridLock137
GridLock137 earned 125 total points
Comment Utility
what kind of switches are you running on your network?

you can use port security and specify just the first learned mac address from a device access to that port, any other device that attempts to connect will be blocked because the mac address does not match the already learned mac address, of course this works on cisco switches, i'm sure other switches may have similar port security settings you can use.
0
 

Author Closing Comment

by:itmtsn
Comment Utility
All four solutions are valid so have split the points four ways :) Hope that's fair.

We have decided to go with the last suggestion and use port security and lock down each port to the first mac address.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
upgrading flat network to VLAN 3 76
SSL RA VPN 7 70
Decrypting SSL traffic in wireshark 7 21
Best sims for HP switches 4 29
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now