Score:-1

Block unusual traffic from LAN on Switch

id flag

I was wondering if on HP Switches (2920 for example) is there something like storm control but for unicasts? Let's assume, we have a host in our network who bruteforces some random IP addresses. How to shut down this interface/MAC-Address? HP Switch provides only stormcontrol for broadcast and multicast, but none of them is a solution for 300pps for random IP's. How to handle it? I know we could do 'something' on FireWall, but how to handle it on L2, so the traffic won't even bother our FireWall.

Regards.

Romeo Ninov avatar
in flag
Hm, how do you think to filter L3 protocol with L2 switch?
Artur avatar
id flag
That's why I was thinking about something like storm control. Block port if it reach 50pps for example. But on my switch I can see only stormcontrol for broadcast/multicast. and non of them is the traffic that I want to limit (well, I am limiting broadcast/multicast also, but thinking about unicast)
user1686 avatar
fr flag
How would the switch distinguish 50pps of bad traffic from 50pps of good traffic, like saving a file to a network share? They all have the same destination MAC (that of your gateway/firewall).
Artur avatar
id flag
No, I don't want the switch to check the traffic. I just want it to block unicast traffic if it exceedes for example 50 pps. That's all.
vidarlo avatar
ar flag
You can't. And you don't want to - how do you distinguish 50pps of good traffic from 50pps of bad traffic? The MAC address of all traffic will be your routers anyway. A firewall is literally the device you are looking for.
Artur avatar
id flag
Well, I do have policies on my firewall which is going to detect and block certains IPs (who generates more than X sessions which are allowed). I was just wondering if there is something more to cut :) Thanks
djdomi avatar
za flag
and at least 50 PPS is nothing, only if your still using 10mbit
Score:1
ru flag

there something like storm control but for unicasts?

Unicasts cannot cause a broadcast storm. If there's a loop, they just circle. But that isn't really your problem.

assume, we have a host in our network who bruteforces some random IP addresses.

Just shut down its switch port (interface xy disable). If it can spoof IP addresses it can spoof MAC addresses as well.

Alternatively, you can use an ACL on the switch port to only allow the single 'proper' address it's been given. For example, permit only source address 192.168.100.100 from port 10:

ip access list extended "port_10_single_IP"
100 permit ip 192.168.100.100/32 any 
exit
interface 10 ip access group "port_10_single_IP" in

Of course, you could also use DHCP snooping to allow only the single (dynamic) IP address given by your DHCP server. But that's a more advanced topic.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.