HP 1920-16 switch

Posted on 2016-08-30
Last Modified: 2016-09-08
Hi experts,

I am looking to adding a few switches to my network for clients to connect to the internet via hard lines.  My problem is that, i worry that some users will connect a router or switch to the cables i provide. I dont want them to loop the network or add another DHCP to the network.  Is there a feature on this switch that will block users from adding a switches/routers/dhcp?

I am using HP 1910-16 and 1920-16
Question by:kabrutus
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 26

Expert Comment

ID: 41777220
These are smart switches so configure port security on all the ports and limit the number of MAC's permitted.  

CLI on each port/interface:   port-security max-mac-count 2 ?

I'm a little rusty on HP however that should do it.  There are additional things you can do with port security so I advise looking into it.

Author Comment

ID: 41777250
Will that help with looping the network?  What if a client connects their router to the wrong way and injects dhcp to my network?  All i want to do is provide internet and maybe some filesharing.
LVL 26

Expert Comment

ID: 41777317
What that will do is prevent more than "x" number of MAC addresses connecting to a specific port.

network diagram 1 ee
With port security the MAC address of each device connected to the Owned Switch is registered to the port it is connected to.

If someone connects a switch and then connects one or more workstations to that switch then it will trip the port security and shut down the port.

A Hub does not (usually) provide a MAC address so the first device connected to the Hub would register and any additional will trip the port security

The owned switch should have a default route built in that goes to the owned router so any device connected to the switch that sends traffic not destined to another device on that switch will go out the default route.

If an additional router is connected to the switch it should follow the same rules
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.


Author Comment

ID: 41777330
Cool. I will have multiple users using those line throughout the day. Does it count the MAC address by concurrent connections?  
I have had users that don't know what they are doing and connect the lab side of a router to my switch.  And it will add their DHCP to my network. Will this stop the IPs from coming into my network?    If not, is there a security setting I can look into to help deny that from happening?
LVL 17

Accepted Solution

TimotiSt earned 250 total points
ID: 41777814
To protect against multiple users connecting through a rouge switch/AP, port security (MAC address limiting) is good.
It won't protect you from routers, though, as that only represents as one MAC.
Against loops, spanning tree provides protection (which has its own quirks).
Against rouge DHCP servers, DHCP snooping can protect.

@pony10us: The 1920 is a Comware-based switch, mostly to-be used with a web GUI.
LVL 26

Expert Comment

ID: 41778228
@TimotiSt:  Thank you.  I was not aware of that with the 1920.  We use Cisco exclusively now and have the GUI turned off for security purposes.

@kabrutus:  If you will have people swapping out computers throughout the day then port security can become a headache.  It is really more for a static network to protect against rogue devices.  If you are providing internet service to the public like an internet café where anyone can bring in a computer and connect then this is probably not the best option.  

Perhaps setting up a wireless AP using a router with guest access would be a better choice. This is how we permit auditors and others.  The guest account is password protected and has no access to our internal network.

Author Comment

ID: 41778258
we have an ap but they require us to provide multiple internet drops.  does the 1920 have all the features described above?
LVL 26

Assisted Solution

pony10us earned 250 total points
ID: 41778294
The more I read this the more I think that VLAN's might be the best option.  Both the 1910 and 1920 are both capable of layer 3 to an extent. Separating out the "clients" from your internal network seems to be the primary goal and that can be accomplished through routing and VLAN's.  

This will not prevent connecting a switch or router but will isolate it.

Author Comment

ID: 41778645
I have vlans, but I need to keep them from killing the vlans they are on.

Author Comment

ID: 41779237
I found this article, do you know if the 1920 supports this feature? Is this what i described?

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question