Solved

Howto prevent single machine from taking down network

Posted on 2012-04-06
7
372 Views
Last Modified: 2012-08-13
We have HP Procurve 5400 series switches at an organization with about 500 IP devices spread across about 15 VLANs.  We also have HP Procurve 2848 switches for the server racks.  We have an issue where occasionally the network will perform very badly and we will find a device that seems to assume all IP addresses and MAC addresses.  This fills the primary VLAN of the guest machine's DHCP pool with bad addresses and any server on that VLAN with an IP conflict.  While the guest machine changes it is usually caused by a developer using a desktop switch or bridging with wireless on an entry-level wireless AP.  We have recommended using better access points but the desktop switches are unavoidable.  Is there anything on the HP switch that we can set that would prevent a single machine or desktop switch from taking down the network?  I.E. maybe limiting the number of mac's or something?
0
Comment
Question by:getzie
7 Comments
 
LVL 7

Expert Comment

by:BelushiLomax
ID: 37815932
not sure of the command with hp but you can restrict a mac address to a switchport with a Cisco sticky mac...HP is pretty good, there should be the same thing
0
 
LVL 2

Author Comment

by:getzie
ID: 37816181
Yes, there is a static mac command, but I suspect that we're looking for static arp.  That would prevent fallout from an ip conflict (the switch wouldn't direct IP traffic to a different mac).  I am now looking at Broadcast limit on the interfaces - set at about 20% but I'm not totally confident about what it will do.
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37816303
Port-Security feature on the switch can be used to restrict the mac-address on the specific port on the switch

http://www.hp.com/hpinfo/newsroom/press_kits/2010/HPOptimizesAppDelivery/E5400zl_Switch_Series_Data_Sheet.pdf ( Search for port-security)
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 8

Accepted Solution

by:
gsmartin earned 500 total points
ID: 37819289
Personally, the approach here is you are trying to bandaid your root cause.  The issue you are describing is far from normal in any network environment.  A random rogue system can not do assume the IP and MAC addresses of other systems in normal operation.   It what require someone maliciously or inappropriately writing code to gather this information to assume the identities for either the purpose of monitoring other systems traffic.  Which is typically done by pitting a NIC in promiscuous mode and by spanning network ports on a switch.  

As you indicated, this issue is typically caused by a Developer.  If this is the case, I would find out more about what they were attempting to do that created the original issue.  IT management should be focusing on who and what the developer was trying to develop that resulted in this issue vs trying bandaid the root cause.  

Locking MAC addresses down to the port will definately secure your network, but will be a management pain.

If developers are using consumer based (DLink, Netgear, LinkSys, etc...) switches a couple of things you should do is:  First, make sure the port on the switch is not using spanning-tree port fast.   Second, Enable 'Error Disable' - this feature will shutdown a port that experiences a high rate of errors.  (not sure what HP's equivalant commands are).  I had an issue one time where a rogue consumer switch port went bad and flooded the network taking down all of the enterprise switches.

My preference, as an IT Manager, is to address the root cause if possible.  This may depend on your company and it's politics.
0
 
LVL 8

Expert Comment

by:gsmartin
ID: 37819296
Please disregard the grammatical errors in my post.  This was written on my iPhone.
0
 
LVL 2

Author Comment

by:getzie
ID: 37824377
thanks gsmartin - I'm still chewing on that a bit.  The developers are using SNMP to test their equipment and under different circumstances using consumer based switches.  I have to follow up on RSTP and the port config in each instance and lookup 'Error Disable'...  Your comment about the rogue consume switch port taking down the enterprise switches is probably most instructive for me.  I can't replace the developers and have already partitioned them off as best I could onto separate VLANs or even entirely separate networks.  When this has happened, it has left a fair number of errors on the reporting port.
0
 
LVL 2

Author Closing Comment

by:getzie
ID: 37832870
That was it.  I found a command with the spanning tree bpdu-filter and it worked like a charm yesterday.  Since it disables the port (configurable) to require an admin we can work with the developers to get them the proper equipment.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question