Solved

HP 1920-16 switch

Posted on 2016-08-30
10
74 Views
Last Modified: 2016-09-08
Hi experts,

I am looking to adding a few switches to my network for clients to connect to the internet via hard lines.  My problem is that, i worry that some users will connect a router or switch to the cables i provide. I dont want them to loop the network or add another DHCP to the network.  Is there a feature on this switch that will block users from adding a switches/routers/dhcp?

I am using HP 1910-16 and 1920-16
0
Comment
Question by:kabrutus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 41777220
These are smart switches so configure port security on all the ports and limit the number of MAC's permitted.  

CLI on each port/interface:   port-security max-mac-count 2 ?

I'm a little rusty on HP however that should do it.  There are additional things you can do with port security so I advise looking into it.
0
 

Author Comment

by:kabrutus
ID: 41777250
Will that help with looping the network?  What if a client connects their router to the wrong way and injects dhcp to my network?  All i want to do is provide internet and maybe some filesharing.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 41777317
What that will do is prevent more than "x" number of MAC addresses connecting to a specific port.

network diagram 1 ee
With port security the MAC address of each device connected to the Owned Switch is registered to the port it is connected to.

If someone connects a switch and then connects one or more workstations to that switch then it will trip the port security and shut down the port.

A Hub does not (usually) provide a MAC address so the first device connected to the Hub would register and any additional will trip the port security

The owned switch should have a default route built in that goes to the owned router so any device connected to the switch that sends traffic not destined to another device on that switch will go out the default route.

If an additional router is connected to the switch it should follow the same rules
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:kabrutus
ID: 41777330
Cool. I will have multiple users using those line throughout the day. Does it count the MAC address by concurrent connections?  
I have had users that don't know what they are doing and connect the lab side of a router to my switch.  And it will add their DHCP to my network. Will this stop the IPs from coming into my network?    If not, is there a security setting I can look into to help deny that from happening?
0
 
LVL 17

Accepted Solution

by:
TimotiSt earned 250 total points
ID: 41777814
To protect against multiple users connecting through a rouge switch/AP, port security (MAC address limiting) is good.
It won't protect you from routers, though, as that only represents as one MAC.
Against loops, spanning tree provides protection (which has its own quirks).
Against rouge DHCP servers, DHCP snooping can protect.

@pony10us: The 1920 is a Comware-based switch, mostly to-be used with a web GUI.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 41778228
@TimotiSt:  Thank you.  I was not aware of that with the 1920.  We use Cisco exclusively now and have the GUI turned off for security purposes.

@kabrutus:  If you will have people swapping out computers throughout the day then port security can become a headache.  It is really more for a static network to protect against rogue devices.  If you are providing internet service to the public like an internet café where anyone can bring in a computer and connect then this is probably not the best option.  

Perhaps setting up a wireless AP using a router with guest access would be a better choice. This is how we permit auditors and others.  The guest account is password protected and has no access to our internal network.
0
 

Author Comment

by:kabrutus
ID: 41778258
we have an ap but they require us to provide multiple internet drops.  does the 1920 have all the features described above?
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 250 total points
ID: 41778294
The more I read this the more I think that VLAN's might be the best option.  Both the 1910 and 1920 are both capable of layer 3 to an extent. Separating out the "clients" from your internal network seems to be the primary goal and that can be accomplished through routing and VLAN's.  

This will not prevent connecting a switch or router but will isolate it.
0
 

Author Comment

by:kabrutus
ID: 41778645
I have vlans, but I need to keep them from killing the vlans they are on.
0
 

Author Comment

by:kabrutus
ID: 41779237
I found this article, do you know if the 1920 supports this feature? Is this what i described?

http://evilrouters.net/2009/03/11/bpdu-protection-on-hp-procurve-switches/
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Is your computer hacked? learn how to detect and delete malware in your PC
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question