Solved

Howto prevent single machine from taking down network

Posted on 2012-04-06
7
367 Views
Last Modified: 2012-08-13
We have HP Procurve 5400 series switches at an organization with about 500 IP devices spread across about 15 VLANs.  We also have HP Procurve 2848 switches for the server racks.  We have an issue where occasionally the network will perform very badly and we will find a device that seems to assume all IP addresses and MAC addresses.  This fills the primary VLAN of the guest machine's DHCP pool with bad addresses and any server on that VLAN with an IP conflict.  While the guest machine changes it is usually caused by a developer using a desktop switch or bridging with wireless on an entry-level wireless AP.  We have recommended using better access points but the desktop switches are unavoidable.  Is there anything on the HP switch that we can set that would prevent a single machine or desktop switch from taking down the network?  I.E. maybe limiting the number of mac's or something?
0
Comment
Question by:getzie
7 Comments
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37815932
not sure of the command with hp but you can restrict a mac address to a switchport with a Cisco sticky mac...HP is pretty good, there should be the same thing
0
 
LVL 2

Author Comment

by:getzie
ID: 37816181
Yes, there is a static mac command, but I suspect that we're looking for static arp.  That would prevent fallout from an ip conflict (the switch wouldn't direct IP traffic to a different mac).  I am now looking at Broadcast limit on the interfaces - set at about 20% but I'm not totally confident about what it will do.
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37816303
Port-Security feature on the switch can be used to restrict the mac-address on the specific port on the switch

http://www.hp.com/hpinfo/newsroom/press_kits/2010/HPOptimizesAppDelivery/E5400zl_Switch_Series_Data_Sheet.pdf ( Search for port-security)
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 8

Accepted Solution

by:
gsmartin earned 500 total points
ID: 37819289
Personally, the approach here is you are trying to bandaid your root cause.  The issue you are describing is far from normal in any network environment.  A random rogue system can not do assume the IP and MAC addresses of other systems in normal operation.   It what require someone maliciously or inappropriately writing code to gather this information to assume the identities for either the purpose of monitoring other systems traffic.  Which is typically done by pitting a NIC in promiscuous mode and by spanning network ports on a switch.  

As you indicated, this issue is typically caused by a Developer.  If this is the case, I would find out more about what they were attempting to do that created the original issue.  IT management should be focusing on who and what the developer was trying to develop that resulted in this issue vs trying bandaid the root cause.  

Locking MAC addresses down to the port will definately secure your network, but will be a management pain.

If developers are using consumer based (DLink, Netgear, LinkSys, etc...) switches a couple of things you should do is:  First, make sure the port on the switch is not using spanning-tree port fast.   Second, Enable 'Error Disable' - this feature will shutdown a port that experiences a high rate of errors.  (not sure what HP's equivalant commands are).  I had an issue one time where a rogue consumer switch port went bad and flooded the network taking down all of the enterprise switches.

My preference, as an IT Manager, is to address the root cause if possible.  This may depend on your company and it's politics.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37819296
Please disregard the grammatical errors in my post.  This was written on my iPhone.
0
 
LVL 2

Author Comment

by:getzie
ID: 37824377
thanks gsmartin - I'm still chewing on that a bit.  The developers are using SNMP to test their equipment and under different circumstances using consumer based switches.  I have to follow up on RSTP and the port config in each instance and lookup 'Error Disable'...  Your comment about the rogue consume switch port taking down the enterprise switches is probably most instructive for me.  I can't replace the developers and have already partitioned them off as best I could onto separate VLANs or even entirely separate networks.  When this has happened, it has left a fair number of errors on the reporting port.
0
 
LVL 2

Author Closing Comment

by:getzie
ID: 37832870
That was it.  I found a command with the spanning tree bpdu-filter and it worked like a charm yesterday.  Since it disables the port (configurable) to require an admin we can work with the developers to get them the proper equipment.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now