[c-nsp] IP conflict !!! How to avoid this....

Kristofer Sigurdsson ks at rhi.hi.is
Tue Apr 26 08:45:33 EDT 2005 

Hi,

On Tue, 2005-04-26 at 10:01 +0000, Gangasagar Amula wrote:
>   
> Dear All,
> 
> In our company, we have used DHCP to give IP to different machines...
> 
> And
> 
> Some machines have been given IP statically.....which has internet connection..
> 
> 
> Now the thing is most of the intelligent people...are changing the ip address of their machines to the one...having internet connection...
> 
> Hence a authorised person who needs a net...gets a ip conflict....

You have several choices here, roughly, you can prevent this from 
happening, or you could deal with it when it happens;

1. Preventive measures:

1. 
        a) Implement two different VLANs, one for each group.  You 
           can statically configure switch ports on their VLAN, or you
           can use VMPS (see OpenVMPSd) or 802.1x for dynamic VLAN    
           assignments.
           If you go for VLANs, I'd recommend 802.1x.

        b) DHCP snooping.  You can configure for DHCP snooping, but I'm
           not sure how well that works (never done it myself).

2. Dealing with it afterwards

        a) Make a script (shell script using snmpwalk or Perl's 
           Net::SNMP) that checks your network gateway(s)' ARP table
           and compares it to your DHCP/static configuration.  If a
           mismatch is found, the script should go through the switch
           MAC address tables, and if the port is not an uplink/downlink
           port, disable it until the script's next run.  This can all
           be accomplished using SNMP (been there, done that, had to 
           because some of the switches didn't support VMPS/802.1x/DHCP 
           snooping).

> 
> 
> How to avoid this....
> 
> Or can we identify the port number of the switch if we have the ip address ?

Yes.  Log on to a switch on the same L2 network, ping the host, get the
mac address from the arp table, use switch mac address tables to get
the port (if you have a lot of switches you might be better of scripting
the mac address table part with SNMP).

-- 
Kristófer Sigurðsson         | Tel: +354 525 4103 / MSN: ks at rhi.hi.is
Netsérfr./Network specialist | Reiknistofnun HÍ/University of Iceland

More information about the cisco-nsp mailing list