Solved

HP 1920-16 switch

Posted on 2016-08-30
10
67 Views
Last Modified: 2016-09-08
Hi experts,

I am looking to adding a few switches to my network for clients to connect to the internet via hard lines.  My problem is that, i worry that some users will connect a router or switch to the cables i provide. I dont want them to loop the network or add another DHCP to the network.  Is there a feature on this switch that will block users from adding a switches/routers/dhcp?

I am using HP 1910-16 and 1920-16
0
Comment
Question by:kabrutus
  • 5
  • 4
10 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 41777220
These are smart switches so configure port security on all the ports and limit the number of MAC's permitted.  

CLI on each port/interface:   port-security max-mac-count 2 ?

I'm a little rusty on HP however that should do it.  There are additional things you can do with port security so I advise looking into it.
0
 

Author Comment

by:kabrutus
ID: 41777250
Will that help with looping the network?  What if a client connects their router to the wrong way and injects dhcp to my network?  All i want to do is provide internet and maybe some filesharing.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 41777317
What that will do is prevent more than "x" number of MAC addresses connecting to a specific port.

network diagram 1 ee
With port security the MAC address of each device connected to the Owned Switch is registered to the port it is connected to.

If someone connects a switch and then connects one or more workstations to that switch then it will trip the port security and shut down the port.

A Hub does not (usually) provide a MAC address so the first device connected to the Hub would register and any additional will trip the port security

The owned switch should have a default route built in that goes to the owned router so any device connected to the switch that sends traffic not destined to another device on that switch will go out the default route.

If an additional router is connected to the switch it should follow the same rules
0
Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

 

Author Comment

by:kabrutus
ID: 41777330
Cool. I will have multiple users using those line throughout the day. Does it count the MAC address by concurrent connections?  
I have had users that don't know what they are doing and connect the lab side of a router to my switch.  And it will add their DHCP to my network. Will this stop the IPs from coming into my network?    If not, is there a security setting I can look into to help deny that from happening?
0
 
LVL 17

Accepted Solution

by:
TimotiSt earned 250 total points
ID: 41777814
To protect against multiple users connecting through a rouge switch/AP, port security (MAC address limiting) is good.
It won't protect you from routers, though, as that only represents as one MAC.
Against loops, spanning tree provides protection (which has its own quirks).
Against rouge DHCP servers, DHCP snooping can protect.

@pony10us: The 1920 is a Comware-based switch, mostly to-be used with a web GUI.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 41778228
@TimotiSt:  Thank you.  I was not aware of that with the 1920.  We use Cisco exclusively now and have the GUI turned off for security purposes.

@kabrutus:  If you will have people swapping out computers throughout the day then port security can become a headache.  It is really more for a static network to protect against rogue devices.  If you are providing internet service to the public like an internet café where anyone can bring in a computer and connect then this is probably not the best option.  

Perhaps setting up a wireless AP using a router with guest access would be a better choice. This is how we permit auditors and others.  The guest account is password protected and has no access to our internal network.
0
 

Author Comment

by:kabrutus
ID: 41778258
we have an ap but they require us to provide multiple internet drops.  does the 1920 have all the features described above?
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 250 total points
ID: 41778294
The more I read this the more I think that VLAN's might be the best option.  Both the 1910 and 1920 are both capable of layer 3 to an extent. Separating out the "clients" from your internal network seems to be the primary goal and that can be accomplished through routing and VLAN's.  

This will not prevent connecting a switch or router but will isolate it.
0
 

Author Comment

by:kabrutus
ID: 41778645
I have vlans, but I need to keep them from killing the vlans they are on.
0
 

Author Comment

by:kabrutus
ID: 41779237
I found this article, do you know if the 1920 supports this feature? Is this what i described?

http://evilrouters.net/2009/03/11/bpdu-protection-on-hp-procurve-switches/
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question