-1

I was wondering if on HP Switches (2920 for example) is there something like storm control but for unicasts? Let's assume, we have a host in our network who bruteforces some random IP addresses. How to shut down this interface/MAC-Address? HP Switch provides only stormcontrol for broadcast and multicast, but none of them is a solution for 300pps for random IP's. How to handle it? I know we could do 'something' on FireWall, but how to handle it on L2, so the traffic won't even bother our FireWall.

Regards.

Artur
  • 17
  • Hm, how do you think to filter L3 protocol with L2 switch? – Romeo Ninov Apr 22 '23 at 07:04
  • That's why I was thinking about something like storm control. Block port if it reach 50pps for example. But on my switch I can see only stormcontrol for broadcast/multicast. and non of them is the traffic that I want to limit (well, I am limiting broadcast/multicast also, but thinking about unicast) – Artur Apr 22 '23 at 07:34
  • How would the switch distinguish 50pps of bad traffic from 50pps of good traffic, like saving a file to a network share? They all have the same destination MAC (that of your gateway/firewall). – user1686 Apr 22 '23 at 10:18
  • No, I don't want the switch to check the traffic. I just want it to block unicast traffic if it exceedes for example 50 pps. That's all. – Artur Apr 22 '23 at 10:34
  • You can't. And you don't want to - how do you distinguish 50pps of good traffic from 50pps of bad traffic? The MAC address of all traffic will be your routers anyway. A firewall is literally the device you are looking for. – vidarlo Apr 22 '23 at 10:40
  • Well, I do have policies on my firewall which is going to detect and block certains IPs (who generates more than X sessions which are allowed). I was just wondering if there is something more to cut :) Thanks – Artur Apr 22 '23 at 11:15
  • and at least 50 PPS is nothing, only if your still using 10mbit – djdomi Apr 22 '23 at 11:25

1 Answers1

1

there something like storm control but for unicasts?

Unicasts cannot cause a broadcast storm. If there's a loop, they just circle. But that isn't really your problem.

assume, we have a host in our network who bruteforces some random IP addresses.

Just shut down its switch port (interface xy disable). If it can spoof IP addresses it can spoof MAC addresses as well.

Alternatively, you can use an ACL on the switch port to only allow the single 'proper' address it's been given. For example, permit only source address 192.168.100.100 from port 10:

ip access list extended "port_10_single_IP"
100 permit ip 192.168.100.100/32 any 
exit
interface 10 ip access group "port_10_single_IP" in

Of course, you could also use DHCP snooping to allow only the single (dynamic) IP address given by your DHCP server. But that's a more advanced topic.

Zac67
  • 10,320
  • 2
  • 12
  • 32