We help IT Professionals succeed at work.

Lock down switches/network ports

itmtsn
itmtsn asked
on
883 Views
Last Modified: 2012-06-27
Hi,

We have a number of network ports connected to a switch that we wish to lock down so that users cannot plug their own DHCP routers into and possibly cause conflicts on our network.

We're happy for them to wirelessly enable their own apartment/room so that they can use multiple devices on that network port but we don't want to get to a situation where their equipment is offering out IP addresses to other equipment on the same network.

Is there an easy way to achieve this? We have HP switching everywhere.

Thanks in advance.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2014

Commented:
Well, first of all if they connect to the correct port (the WAN/Internet) on their equipment it should not happen.  Home DSL routers don't do DHCP serving on the WAN/Internet port, the only do it on the "switch ports."

However, I'm not sure you can do it.  You would need to be able to block bootp responses coming into your switch ports and I'm not sure you can do that.

Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
HP has a feature called spanning tree (even though the firmware written by hp isn't the best)

google it because its fairly in-depth, but in a nutshell. Any port on the switch with spanning tree enabled will shutdown if a device attempts to provide DHCP (from an unauthorised source such as client router) - Im pretty sure its exactly what your are after.
CERTIFIED EXPERT
Top Expert 2014

Commented:
Spanning tree has nothing to do with DHCP.  What spanning tree is designed to do is prevent loops within the network.  That switch A connects to switch B and B connects to C and C connects to A.  There is a loop and spanning tree will shut down either the A to C or the A to B connection.

Now using VLAN's is an good idea, if your switches support more VLAN's than you have rooms.  The other thing you could do if you used VLAN's is block the room VLAN's from communicating with each other.  That way virus can't spread from one room to another and people can't break into computers in other rooms.

Commented:
Sorry I do stand correct, Let me find what I am actually trying to refer to
Brian BEE Topic Advisor, Independent Technology Professional
CERTIFIED EXPERT

Commented:
Further to giltjr's post, DHCP itself is not routable. That's why those consumer-grade routers are not as big a threat. Having said that, if they plugged the uplink to your network into the switch rather than the WAN port, it could still cause problems.

Commented:
correction: DHCP snooping
CERTIFIED EXPERT
Top Expert 2014
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
how did you go?

Author

Commented:
Hi :)

Thanks for all the suggestions. We're just working through them to see what offers us the best solution. I'll get back to you soon.

Thanks again!
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
All four solutions are valid so have split the points four ways :) Hope that's fair.

We have decided to go with the last suggestion and use port security and lock down each port to the first mac address.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.