asked on
Lock down switches/network ports
Hi,
We have a number of network ports connected to a switch that we wish to lock down so that users cannot plug their own DHCP routers into and possibly cause conflicts on our network.
We're happy for them to wirelessly enable their own apartment/room so that they can use multiple devices on that network port but we don't want to get to a situation where their equipment is offering out IP addresses to other equipment on the same network.
Is there an easy way to achieve this? We have HP switching everywhere.
Thanks in advance.
We have a number of network ports connected to a switch that we wish to lock down so that users cannot plug their own DHCP routers into and possibly cause conflicts on our network.
We're happy for them to wirelessly enable their own apartment/room so that they can use multiple devices on that network port but we don't want to get to a situation where their equipment is offering out IP addresses to other equipment on the same network.
Is there an easy way to achieve this? We have HP switching everywhere.
Thanks in advance.
Switches / HubsNetworkingDHCP
Last Comment
itmtsn
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
HP has a feature called spanning tree (even though the firmware written by hp isn't the best)
google it because its fairly in-depth, but in a nutshell. Any port on the switch with spanning tree enabled will shutdown if a device attempts to provide DHCP (from an unauthorised source such as client router) - Im pretty sure its exactly what your are after.
google it because its fairly in-depth, but in a nutshell. Any port on the switch with spanning tree enabled will shutdown if a device attempts to provide DHCP (from an unauthorised source such as client router) - Im pretty sure its exactly what your are after.
Spanning tree has nothing to do with DHCP. What spanning tree is designed to do is prevent loops within the network. That switch A connects to switch B and B connects to C and C connects to A. There is a loop and spanning tree will shut down either the A to C or the A to B connection.
Now using VLAN's is an good idea, if your switches support more VLAN's than you have rooms. The other thing you could do if you used VLAN's is block the room VLAN's from communicating with each other. That way virus can't spread from one room to another and people can't break into computers in other rooms.
Now using VLAN's is an good idea, if your switches support more VLAN's than you have rooms. The other thing you could do if you used VLAN's is block the room VLAN's from communicating with each other. That way virus can't spread from one room to another and people can't break into computers in other rooms.
Sorry I do stand correct, Let me find what I am actually trying to refer to
Further to giltjr's post, DHCP itself is not routable. That's why those consumer-grade routers are not as big a threat. Having said that, if they plugged the uplink to your network into the switch rather than the WAN port, it could still cause problems.
correction: DHCP snooping
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
how did you go?
ASKER
Hi :)
Thanks for all the suggestions. We're just working through them to see what offers us the best solution. I'll get back to you soon.
Thanks again!
Thanks for all the suggestions. We're just working through them to see what offers us the best solution. I'll get back to you soon.
Thanks again!
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
All four solutions are valid so have split the points four ways :) Hope that's fair.
We have decided to go with the last suggestion and use port security and lock down each port to the first mac address.
We have decided to go with the last suggestion and use port security and lock down each port to the first mac address.
However, I'm not sure you can do it. You would need to be able to block bootp responses coming into your switch ports and I'm not sure you can do that.