Solved

Howto prevent single machine from taking down network

Posted on 2012-04-06
7
375 Views
Last Modified: 2012-08-13
We have HP Procurve 5400 series switches at an organization with about 500 IP devices spread across about 15 VLANs.  We also have HP Procurve 2848 switches for the server racks.  We have an issue where occasionally the network will perform very badly and we will find a device that seems to assume all IP addresses and MAC addresses.  This fills the primary VLAN of the guest machine's DHCP pool with bad addresses and any server on that VLAN with an IP conflict.  While the guest machine changes it is usually caused by a developer using a desktop switch or bridging with wireless on an entry-level wireless AP.  We have recommended using better access points but the desktop switches are unavoidable.  Is there anything on the HP switch that we can set that would prevent a single machine or desktop switch from taking down the network?  I.E. maybe limiting the number of mac's or something?
0
Comment
Question by:getzie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37815932
not sure of the command with hp but you can restrict a mac address to a switchport with a Cisco sticky mac...HP is pretty good, there should be the same thing
0
 
LVL 2

Author Comment

by:getzie
ID: 37816181
Yes, there is a static mac command, but I suspect that we're looking for static arp.  That would prevent fallout from an ip conflict (the switch wouldn't direct IP traffic to a different mac).  I am now looking at Broadcast limit on the interfaces - set at about 20% but I'm not totally confident about what it will do.
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37816303
Port-Security feature on the switch can be used to restrict the mac-address on the specific port on the switch

http://www.hp.com/hpinfo/newsroom/press_kits/2010/HPOptimizesAppDelivery/E5400zl_Switch_Series_Data_Sheet.pdf ( Search for port-security)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Accepted Solution

by:
gsmartin earned 500 total points
ID: 37819289
Personally, the approach here is you are trying to bandaid your root cause.  The issue you are describing is far from normal in any network environment.  A random rogue system can not do assume the IP and MAC addresses of other systems in normal operation.   It what require someone maliciously or inappropriately writing code to gather this information to assume the identities for either the purpose of monitoring other systems traffic.  Which is typically done by pitting a NIC in promiscuous mode and by spanning network ports on a switch.  

As you indicated, this issue is typically caused by a Developer.  If this is the case, I would find out more about what they were attempting to do that created the original issue.  IT management should be focusing on who and what the developer was trying to develop that resulted in this issue vs trying bandaid the root cause.  

Locking MAC addresses down to the port will definately secure your network, but will be a management pain.

If developers are using consumer based (DLink, Netgear, LinkSys, etc...) switches a couple of things you should do is:  First, make sure the port on the switch is not using spanning-tree port fast.   Second, Enable 'Error Disable' - this feature will shutdown a port that experiences a high rate of errors.  (not sure what HP's equivalant commands are).  I had an issue one time where a rogue consumer switch port went bad and flooded the network taking down all of the enterprise switches.

My preference, as an IT Manager, is to address the root cause if possible.  This may depend on your company and it's politics.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37819296
Please disregard the grammatical errors in my post.  This was written on my iPhone.
0
 
LVL 2

Author Comment

by:getzie
ID: 37824377
thanks gsmartin - I'm still chewing on that a bit.  The developers are using SNMP to test their equipment and under different circumstances using consumer based switches.  I have to follow up on RSTP and the port config in each instance and lookup 'Error Disable'...  Your comment about the rogue consume switch port taking down the enterprise switches is probably most instructive for me.  I can't replace the developers and have already partitioned them off as best I could onto separate VLANs or even entirely separate networks.  When this has happened, it has left a fair number of errors on the reporting port.
0
 
LVL 2

Author Closing Comment

by:getzie
ID: 37832870
That was it.  I found a command with the spanning tree bpdu-filter and it worked like a charm yesterday.  Since it disables the port (configurable) to require an admin we can work with the developers to get them the proper equipment.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Etherchannel balancing 10 39
Changing VLAN information 3 36
Comparing Microsoft SCCM/SCOM with Solarwinds ipMonitor ? 2 14
How to disable sflow Cisco nexus 9k 3 14
Is your computer hacked? learn how to detect and delete malware in your PC
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question