Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 114
  • Last Modified:

HP 1920-16 switch

Hi experts,

I am looking to adding a few switches to my network for clients to connect to the internet via hard lines.  My problem is that, i worry that some users will connect a router or switch to the cables i provide. I dont want them to loop the network or add another DHCP to the network.  Is there a feature on this switch that will block users from adding a switches/routers/dhcp?

I am using HP 1910-16 and 1920-16
0
kabrutus
Asked:
kabrutus
  • 5
  • 4
2 Solutions
 
pony10usCommented:
These are smart switches so configure port security on all the ports and limit the number of MAC's permitted.  

CLI on each port/interface:   port-security max-mac-count 2 ?

I'm a little rusty on HP however that should do it.  There are additional things you can do with port security so I advise looking into it.
0
 
kabrutusAuthor Commented:
Will that help with looping the network?  What if a client connects their router to the wrong way and injects dhcp to my network?  All i want to do is provide internet and maybe some filesharing.
0
 
pony10usCommented:
What that will do is prevent more than "x" number of MAC addresses connecting to a specific port.

network diagram 1 ee
With port security the MAC address of each device connected to the Owned Switch is registered to the port it is connected to.

If someone connects a switch and then connects one or more workstations to that switch then it will trip the port security and shut down the port.

A Hub does not (usually) provide a MAC address so the first device connected to the Hub would register and any additional will trip the port security

The owned switch should have a default route built in that goes to the owned router so any device connected to the switch that sends traffic not destined to another device on that switch will go out the default route.

If an additional router is connected to the switch it should follow the same rules
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
kabrutusAuthor Commented:
Cool. I will have multiple users using those line throughout the day. Does it count the MAC address by concurrent connections?  
I have had users that don't know what they are doing and connect the lab side of a router to my switch.  And it will add their DHCP to my network. Will this stop the IPs from coming into my network?    If not, is there a security setting I can look into to help deny that from happening?
0
 
TimotiStDatacenter TechnicianCommented:
To protect against multiple users connecting through a rouge switch/AP, port security (MAC address limiting) is good.
It won't protect you from routers, though, as that only represents as one MAC.
Against loops, spanning tree provides protection (which has its own quirks).
Against rouge DHCP servers, DHCP snooping can protect.

@pony10us: The 1920 is a Comware-based switch, mostly to-be used with a web GUI.
0
 
pony10usCommented:
@TimotiSt:  Thank you.  I was not aware of that with the 1920.  We use Cisco exclusively now and have the GUI turned off for security purposes.

@kabrutus:  If you will have people swapping out computers throughout the day then port security can become a headache.  It is really more for a static network to protect against rogue devices.  If you are providing internet service to the public like an internet cafĂ© where anyone can bring in a computer and connect then this is probably not the best option.  

Perhaps setting up a wireless AP using a router with guest access would be a better choice. This is how we permit auditors and others.  The guest account is password protected and has no access to our internal network.
0
 
kabrutusAuthor Commented:
we have an ap but they require us to provide multiple internet drops.  does the 1920 have all the features described above?
0
 
pony10usCommented:
The more I read this the more I think that VLAN's might be the best option.  Both the 1910 and 1920 are both capable of layer 3 to an extent. Separating out the "clients" from your internal network seems to be the primary goal and that can be accomplished through routing and VLAN's.  

This will not prevent connecting a switch or router but will isolate it.
0
 
kabrutusAuthor Commented:
I have vlans, but I need to keep them from killing the vlans they are on.
0
 
kabrutusAuthor Commented:
I found this article, do you know if the 1920 supports this feature? Is this what i described?

http://evilrouters.net/2009/03/11/bpdu-protection-on-hp-procurve-switches/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now