Howto prevent single machine from taking down network

We have HP Procurve 5400 series switches at an organization with about 500 IP devices spread across about 15 VLANs.  We also have HP Procurve 2848 switches for the server racks.  We have an issue where occasionally the network will perform very badly and we will find a device that seems to assume all IP addresses and MAC addresses.  This fills the primary VLAN of the guest machine's DHCP pool with bad addresses and any server on that VLAN with an IP conflict.  While the guest machine changes it is usually caused by a developer using a desktop switch or bridging with wireless on an entry-level wireless AP.  We have recommended using better access points but the desktop switches are unavoidable.  Is there anything on the HP switch that we can set that would prevent a single machine or desktop switch from taking down the network?  I.E. maybe limiting the number of mac's or something?
LVL 2
getzieAsked:
Who is Participating?
 
gsmartinManager of ITCommented:
Personally, the approach here is you are trying to bandaid your root cause.  The issue you are describing is far from normal in any network environment.  A random rogue system can not do assume the IP and MAC addresses of other systems in normal operation.   It what require someone maliciously or inappropriately writing code to gather this information to assume the identities for either the purpose of monitoring other systems traffic.  Which is typically done by pitting a NIC in promiscuous mode and by spanning network ports on a switch.  

As you indicated, this issue is typically caused by a Developer.  If this is the case, I would find out more about what they were attempting to do that created the original issue.  IT management should be focusing on who and what the developer was trying to develop that resulted in this issue vs trying bandaid the root cause.  

Locking MAC addresses down to the port will definately secure your network, but will be a management pain.

If developers are using consumer based (DLink, Netgear, LinkSys, etc...) switches a couple of things you should do is:  First, make sure the port on the switch is not using spanning-tree port fast.   Second, Enable 'Error Disable' - this feature will shutdown a port that experiences a high rate of errors.  (not sure what HP's equivalant commands are).  I had an issue one time where a rogue consumer switch port went bad and flooded the network taking down all of the enterprise switches.

My preference, as an IT Manager, is to address the root cause if possible.  This may depend on your company and it's politics.
0
 
BelushiLomaxCommented:
not sure of the command with hp but you can restrict a mac address to a switchport with a Cisco sticky mac...HP is pretty good, there should be the same thing
0
 
getzieAuthor Commented:
Yes, there is a static mac command, but I suspect that we're looking for static arp.  That would prevent fallout from an ip conflict (the switch wouldn't direct IP traffic to a different mac).  I am now looking at Broadcast limit on the interfaces - set at about 20% but I'm not totally confident about what it will do.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
andrew1812Commented:
Port-Security feature on the switch can be used to restrict the mac-address on the specific port on the switch

http://www.hp.com/hpinfo/newsroom/press_kits/2010/HPOptimizesAppDelivery/E5400zl_Switch_Series_Data_Sheet.pdf ( Search for port-security)
0
 
gsmartinManager of ITCommented:
Please disregard the grammatical errors in my post.  This was written on my iPhone.
0
 
getzieAuthor Commented:
thanks gsmartin - I'm still chewing on that a bit.  The developers are using SNMP to test their equipment and under different circumstances using consumer based switches.  I have to follow up on RSTP and the port config in each instance and lookup 'Error Disable'...  Your comment about the rogue consume switch port taking down the enterprise switches is probably most instructive for me.  I can't replace the developers and have already partitioned them off as best I could onto separate VLANs or even entirely separate networks.  When this has happened, it has left a fair number of errors on the reporting port.
0
 
getzieAuthor Commented:
That was it.  I found a command with the spanning tree bpdu-filter and it worked like a charm yesterday.  Since it disables the port (configurable) to require an admin we can work with the developers to get them the proper equipment.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.