Join Log in
Score:-1
Artur avatar Server

Block unusual traffic from LAN on Switch

id flag
Artur

I was wondering if on HP Switches (2920 for example) is there something like storm control but for unicasts? Let's assume, we have a host in our network who bruteforces some random IP addresses. How to shut down this interface/MAC-Address? HP Switch provides only stormcontrol for broadcast and multicast, but none of them is a solution for 300pps for random IP's. How to handle it? I know we could do 'something' on FireWall, but how to handle it on L2, so the traffic won't even bother our FireWall.

Regards.

77
1 + 7
hp
Romeo Ninov avatar
in flag
Romeo Ninov
Hm, how do you think to filter L3 protocol with L2 switch?
0
Reply
Artur avatar
id flag
Artur
That's why I was thinking about something like storm control. Block port if it reach 50pps for example. But on my switch I can see only stormcontrol for broadcast/multicast. and non of them is the traffic that I want to limit (well, I am limiting broadcast/multicast also, but thinking about unicast)
0
Reply
user1686 avatar
fr flag
user1686
How would the switch distinguish 50pps of bad traffic from 50pps of good traffic, like saving a file to a network share? They all have the same destination MAC (that of your gateway/firewall).
0
Reply
Artur avatar
id flag
Artur
No, I don't want the switch to check the traffic. I just want it to block unicast traffic if it exceedes for example 50 pps. That's all.
0
Reply
vidarlo avatar
ar flag
vidarlo
You can't. And you don't want to - how do you distinguish 50pps of good traffic from 50pps of bad traffic? The MAC address of all traffic will be your routers anyway. A firewall is literally the device you are looking for.
0
Reply
Artur avatar
id flag
Artur
Well, I do have policies on my firewall which is going to detect and block certains IPs (who generates more than X sessions which are allowed). I was just wondering if there is something more to cut :) Thanks
0
Reply
djdomi avatar
za flag
djdomi
and at least 50 PPS is nothing, only if your still using 10mbit
0
Reply
Score:1
Zac67 avatar Server
ru flag
Zac67

there something like storm control but for unicasts?

Unicasts cannot cause a broadcast storm. If there's a loop, they just circle. But that isn't really your problem.

assume, we have a host in our network who bruteforces some random IP addresses.

Just shut down its switch port (interface xy disable). If it can spoof IP addresses it can spoof MAC addresses as well.

Alternatively, you can use an ACL on the switch port to only allow the single 'proper' address it's been given. For example, permit only source address 192.168.100.100 from port 10:

ip access list extended "port_10_single_IP"
100 permit ip 192.168.100.100/32 any 
exit
interface 10 ip access group "port_10_single_IP" in

Of course, you could also use DHCP snooping to allow only the single (dynamic) IP address given by your DHCP server. But that's a more advanced topic.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.