HPE Community
Switches, Hubs, and Modems
1753449 Members
6508 Online
108794 Solutions
New Discussion юеВ

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

 
J├╝rgen Strutzenberger
New Member

тАО12-05-2006 03:25 AM

тАО12-05-2006 03:25 AM

Security Settings 5304XL(J4850A) + 2626(J4900A)

hi all together!

we have 1x 5304XL and 12x 2626
you have to know that we are in a school!

We have some troubles and I want to ask here if somebody has a solution for our troubles!

First our config:
5304XL is IP routing enabled, we usese several VLANs and ACLs! RSTP is enabled!
The 5304XL is the default Gateway in our VLANs and LANs!

Now our Problem is we have some other switches (not managable) in the classrooms! When a student creats a loop on this non HP switch are network is going down, is there a possibility to disable the port on the hp switch where the non hp swith is connected?

And the second problem is that we have some very "clever" students which uses the ip of the Server and then they get access to all! So is it possible for example that only on port A1 the IP 192.168.2.1 is allowed? so nobody else will get access?

Maybe someone has a similar situation, please let me know what settings we can make to get our network more secure!

thank you very much!
Juergen Strutzeberger

0 Kudos
11 REPLIES 11
Matt Hobbs
Honored Contributor

тАО12-05-2006 11:36 AM

тАО12-05-2006 11:36 AM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

Great questions...

What version firmware are you running on these switches? Make sure you're running the latest as earlier versions did not block the type of external loops that you are describing.

At the same time, many unmanaged switches do not always forward BPDU frames, so detecting an external loop is impossible using STP.

To get around this, there is a feature called 'loop protection', it is currently available on the 5400's but for some reason is not currently documented. I expect that this feature will probably filter down into most of the other ProCurve switch ranges. Another nice new feature on the 5400's is BPDU Protection which will also hopefully be filtering down soon. This allows a switch to disable a port when a BPDU is received on designated ports.

For your second problem, on the 2600's there is an 'IP lockdown' feature available. Check the release notes for more information on this: ftp://ftp.hp.com/pub/networking/software/2600-RelNotes-h08106-59906003.pdf

The way this feature works probably won't help you too much unless you want to statically assign IP addresses to your students.

Another approach would be to put the servers into a different VLAN and route betweeen them instead. That way students on the student VLAN could not impersonate the server IP address since it would be on a different IP subnet range in a different VLAN. By the sounds of it you are using multiple VLANs but I'm not too sure if some servers are in the same VLAN as the students.

Hope this helps. Don't forget to assign points to any replies that you receive.

Matt
0 Kudos
Lei.Ma
Frequent Advisor

тАО12-05-2006 12:57 PM

тАО12-05-2006 12:57 PM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

1)do you have any management software?if you have the PCM+,you can disable the port when you saw the red alert in the topo map,or you can access the switch via web function,broadcast issue is "non-unicast Pkts Rx" , you can disable the port too by this way.


2)use the command to restrict management vlan and ip address:
HP ProCurve Switch 5304XL(config)# management-vlan 1
HP ProCurve Switch 5304XL(config)# ip authorized-managers
0 Kudos
J├╝rgen Strutzenberger
New Member

тАО12-05-2006 09:00 PM

тАО12-05-2006 09:00 PM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

Thanks for your answers!

Oh firmeware are a little bit older because i don't wanted to update the system when it is runnig quiet stable and good, you know: "never change a running system"

1x 5304XL: FW E.09.22
all 2626: FW H.08.53

Does somebody knows if the 5304XL can make DHCP?

Some more infos:

I will discribe how we changed the LAN into VLANs!

First we had one big LAN with 192.168.x.x IPs, and everthing has been in this LAN!

So we had to do many changes but we always have to gurantee that all other pcs can access ther servers and the internet!

We splittet the network into several VLANs!
For example: some computing rooms, (DV1,...)
In a second split we moved the administration of the school in a separate VLAN!

So at the moment our trouble is that when we move the servers or the students pcs, notebooks we need all this pcs to move them from VLAN200 to VLAN300 because of the change from the DHCP Server (multiscope)!

I'm realy intereset what ideas you have and what possibilitys!

kind regards
J├Г┬╝rgen

P.S.: thanks for all information
0 Kudos
Matt Hobbs
Honored Contributor

тАО12-05-2006 09:16 PM

тАО12-05-2006 09:16 PM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

The 5300 itself cannot be a DHCP server, it can do dhcp-relay though with ip helper-addresses (which I think you're already doing).

Can you explain in more detail about the other trouble you have moving clients and servers to different VLANs?
0 Kudos
J├╝rgen Strutzenberger
New Member

тАО12-05-2006 09:36 PM

тАО12-05-2006 09:36 PM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

for the other questions:
i don't have a PCM+ for the configuration!

Yes i already configured for each vlan a ip adress helper!

Is this configuration tool part of the delivery from the 5304xl?

so the trouble is when i move one pc from the LAN (default_VLAN) to another VLAN i have to do following procedure:
Create a new range for the new VLAN (if it doesn't exists yet)
First delete all entries in the DHCP Server a 2003 Server configured as multiscope DHCP!
Than startup the client make an ipconfig /release if i don't do that i always get an IP from the default lan!
Than restart the pc or ipconfig /renew!

So I also this trouble if somebody moves from diffrent VLANs! For example, if a User is in the VLAN100 and some hours later he connect to the VLAN200 does the user still get the ip from the VLAN100! (I think this is therefore that the DHCP Server knows the MAC Adress and therefore he will get the same IP, but the User can't do anything because of the false IPs - routing doesn't work)

bye
Juergen
0 Kudos
Matt Hobbs
Honored Contributor

тАО12-05-2006 10:00 PM

тАО12-05-2006 10:00 PM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

What you are describing about the client getting the wrong IP address is definitely not normal. Are you using Superscopes at all? That could be a possible cause.

Although I don't know of any issue on the switches side that could cause this, you may want to try updating to the latest firmware just in case.
0 Kudos
J├╝rgen Strutzenberger
New Member

тАО12-06-2006 03:24 AM

тАО12-06-2006 03:24 AM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

The issues for the wrong ip adress isn't the switch, it is the dhcp server!

The multiscope windows 2003 dhcp server doesn't know that the PC is in another VLAN! The Server is looking in the DHCP Database and matches with a MAC-Adress and gives the Client the same IP which he had in the first VLAN!

nice day

P.S.: what firmewares should i use?
0 Kudos
Lei.Ma
Frequent Advisor

тАО12-06-2006 02:04 PM

тАО12-06-2006 02:04 PM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

5300 series only support DHCP Relay option 82 and dhcp-snooping.
you need download the firmware from Hp's website or check below link:
http://www.hp.com/rnd/software/j48191044.htm
0 Kudos
Mohieddin Kharnoub
Honored Contributor

тАО12-06-2006 04:50 PM

тАО12-06-2006 04:50 PM

Re: Security Settings 5304XL(J4850A) + 2626(J4900A)

Hi

I have an opinion.
Educational Solutions should be always secure and reliable, and with ProCurve you can achieve that easily, and apparently you have all what you need to do that.

802.1x Security protocol, its a Robust Layer2 protocol that guarantee the security and reliability you are looking for, and its availbale on your switches 2600 and 5300.

The scenario would be enable each student's switch-ports to use the 802.1x protocol, and with Windows server, Active Directory, DHCP and RADIUS you can have dynamic Vlans, so no worries about Static Vlan assignment anymore.

Also i have seen some schools using MAC authentication for less hassle (they provided laptops to students) and the only headache is only entering the MAC addresses in the Windows Server.

You can also decide which devices (MAC addresses) are authorized on each port and how many devices do you want to allow per port (up to 8 devices).

The more you secure your network, the more you control it especially in Schools and Universities.

Good Luck !!!
Science for Everyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.