HP 1920-16 switch

Posted on 2016-08-30
Last Modified: 2016-09-08
Hi experts,

I am looking to adding a few switches to my network for clients to connect to the internet via hard lines.  My problem is that, i worry that some users will connect a router or switch to the cables i provide. I dont want them to loop the network or add another DHCP to the network.  Is there a feature on this switch that will block users from adding a switches/routers/dhcp?

I am using HP 1910-16 and 1920-16
Question by:kabrutus
  • 5
  • 4
LVL 26

Expert Comment

ID: 41777220
These are smart switches so configure port security on all the ports and limit the number of MAC's permitted.  

CLI on each port/interface:   port-security max-mac-count 2 ?

I'm a little rusty on HP however that should do it.  There are additional things you can do with port security so I advise looking into it.

Author Comment

ID: 41777250
Will that help with looping the network?  What if a client connects their router to the wrong way and injects dhcp to my network?  All i want to do is provide internet and maybe some filesharing.
LVL 26

Expert Comment

ID: 41777317
What that will do is prevent more than "x" number of MAC addresses connecting to a specific port.

network diagram 1 ee
With port security the MAC address of each device connected to the Owned Switch is registered to the port it is connected to.

If someone connects a switch and then connects one or more workstations to that switch then it will trip the port security and shut down the port.

A Hub does not (usually) provide a MAC address so the first device connected to the Hub would register and any additional will trip the port security

The owned switch should have a default route built in that goes to the owned router so any device connected to the switch that sends traffic not destined to another device on that switch will go out the default route.

If an additional router is connected to the switch it should follow the same rules

Author Comment

ID: 41777330
Cool. I will have multiple users using those line throughout the day. Does it count the MAC address by concurrent connections?  
I have had users that don't know what they are doing and connect the lab side of a router to my switch.  And it will add their DHCP to my network. Will this stop the IPs from coming into my network?    If not, is there a security setting I can look into to help deny that from happening?
LVL 17

Accepted Solution

TimotiSt earned 250 total points
ID: 41777814
To protect against multiple users connecting through a rouge switch/AP, port security (MAC address limiting) is good.
It won't protect you from routers, though, as that only represents as one MAC.
Against loops, spanning tree provides protection (which has its own quirks).
Against rouge DHCP servers, DHCP snooping can protect.

@pony10us: The 1920 is a Comware-based switch, mostly to-be used with a web GUI.
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

LVL 26

Expert Comment

ID: 41778228
@TimotiSt:  Thank you.  I was not aware of that with the 1920.  We use Cisco exclusively now and have the GUI turned off for security purposes.

@kabrutus:  If you will have people swapping out computers throughout the day then port security can become a headache.  It is really more for a static network to protect against rogue devices.  If you are providing internet service to the public like an internet café where anyone can bring in a computer and connect then this is probably not the best option.  

Perhaps setting up a wireless AP using a router with guest access would be a better choice. This is how we permit auditors and others.  The guest account is password protected and has no access to our internal network.

Author Comment

ID: 41778258
we have an ap but they require us to provide multiple internet drops.  does the 1920 have all the features described above?
LVL 26

Assisted Solution

pony10us earned 250 total points
ID: 41778294
The more I read this the more I think that VLAN's might be the best option.  Both the 1910 and 1920 are both capable of layer 3 to an extent. Separating out the "clients" from your internal network seems to be the primary goal and that can be accomplished through routing and VLAN's.  

This will not prevent connecting a switch or router but will isolate it.

Author Comment

ID: 41778645
I have vlans, but I need to keep them from killing the vlans they are on.

Author Comment

ID: 41779237
I found this article, do you know if the 1920 supports this feature? Is this what i described?

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Is this network design suitable? 3 62
Does Ping Packet go through Trunk port 4 53
Eigrp Router 5 64
Mac-address sticky 12 46
SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now