Howto prevent single machine from taking down network

We have HP Procurve 5400 series switches at an organization with about 500 IP devices spread across about 15 VLANs.  We also have HP Procurve 2848 switches for the server racks.  We have an issue where occasionally the network will perform very badly and we will find a device that seems to assume all IP addresses and MAC addresses.  This fills the primary VLAN of the guest machine's DHCP pool with bad addresses and any server on that VLAN with an IP conflict.  While the guest machine changes it is usually caused by a developer using a desktop switch or bridging with wireless on an entry-level wireless AP.  We have recommended using better access points but the desktop switches are unavoidable.  Is there anything on the HP switch that we can set that would prevent a single machine or desktop switch from taking down the network?  I.E. maybe limiting the number of mac's or something?
LVL 2
getzieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BelushiLomaxCommented:
not sure of the command with hp but you can restrict a mac address to a switchport with a Cisco sticky mac...HP is pretty good, there should be the same thing
0
getzieAuthor Commented:
Yes, there is a static mac command, but I suspect that we're looking for static arp.  That would prevent fallout from an ip conflict (the switch wouldn't direct IP traffic to a different mac).  I am now looking at Broadcast limit on the interfaces - set at about 20% but I'm not totally confident about what it will do.
0
andrew1812Commented:
Port-Security feature on the switch can be used to restrict the mac-address on the specific port on the switch

http://www.hp.com/hpinfo/newsroom/press_kits/2010/HPOptimizesAppDelivery/E5400zl_Switch_Series_Data_Sheet.pdf ( Search for port-security)
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

gsmartinManager of ITCommented:
Personally, the approach here is you are trying to bandaid your root cause.  The issue you are describing is far from normal in any network environment.  A random rogue system can not do assume the IP and MAC addresses of other systems in normal operation.   It what require someone maliciously or inappropriately writing code to gather this information to assume the identities for either the purpose of monitoring other systems traffic.  Which is typically done by pitting a NIC in promiscuous mode and by spanning network ports on a switch.  

As you indicated, this issue is typically caused by a Developer.  If this is the case, I would find out more about what they were attempting to do that created the original issue.  IT management should be focusing on who and what the developer was trying to develop that resulted in this issue vs trying bandaid the root cause.  

Locking MAC addresses down to the port will definately secure your network, but will be a management pain.

If developers are using consumer based (DLink, Netgear, LinkSys, etc...) switches a couple of things you should do is:  First, make sure the port on the switch is not using spanning-tree port fast.   Second, Enable 'Error Disable' - this feature will shutdown a port that experiences a high rate of errors.  (not sure what HP's equivalant commands are).  I had an issue one time where a rogue consumer switch port went bad and flooded the network taking down all of the enterprise switches.

My preference, as an IT Manager, is to address the root cause if possible.  This may depend on your company and it's politics.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gsmartinManager of ITCommented:
Please disregard the grammatical errors in my post.  This was written on my iPhone.
0
getzieAuthor Commented:
thanks gsmartin - I'm still chewing on that a bit.  The developers are using SNMP to test their equipment and under different circumstances using consumer based switches.  I have to follow up on RSTP and the port config in each instance and lookup 'Error Disable'...  Your comment about the rogue consume switch port taking down the enterprise switches is probably most instructive for me.  I can't replace the developers and have already partitioned them off as best I could onto separate VLANs or even entirely separate networks.  When this has happened, it has left a fair number of errors on the reporting port.
0
getzieAuthor Commented:
That was it.  I found a command with the spanning tree bpdu-filter and it worked like a charm yesterday.  Since it disables the port (configurable) to require an admin we can work with the developers to get them the proper equipment.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.