Mikkk
asked on
Duplicate IP on the LAN
He have a problem in our almost 100 desktop PC and 10 servers LAN.
Someone or something changed it's IP to a server's IP and LAN has become crazy.
We have found the zone where this Network card (wired or wireless) is by plugging and unplugging cables from switches and testing LAN performance.
When we plugged a switch cable off (that cascades from other remote switches) the LAN stabilized and we think that the duplicated IP is there.
Our preocupation is: How can we prevent that some device can use a server (or desktop) used IP?
All domain PC has non admin rights and are not able to change it.
Witch is the security protocol for this cases? block traffic by mac on switches?
Only a brief description will be enought. Thanks
Someone or something changed it's IP to a server's IP and LAN has become crazy.
We have found the zone where this Network card (wired or wireless) is by plugging and unplugging cables from switches and testing LAN performance.
When we plugged a switch cable off (that cascades from other remote switches) the LAN stabilized and we think that the duplicated IP is there.
Our preocupation is: How can we prevent that some device can use a server (or desktop) used IP?
All domain PC has non admin rights and are not able to change it.
Witch is the security protocol for this cases? block traffic by mac on switches?
Only a brief description will be enought. Thanks
Galtar99
Do you use DHCP?
Without the "malicious users" point of view a DHCP server is enough to prevent this problem.
If you want to protect from users that can, on purpose or not, change the IP a managed switch can do the work, most of them can detect this problems and you can set an alarm or set it to shutdown the port automatically.
If you want to protect from users that can, on purpose or not, change the IP a managed switch can do the work, most of them can detect this problems and you can set an alarm or set it to shutdown the port automatically.
-. Find your culprit looking at the arp and mac tables in your switches (like that mac is known thru port 4/1, etc. until you get it).
- I agree with fmonroy, DHCP should be enough. An other option, if you have a good L3 switch, is to have your servers on one vlan which will be present in the computer room only and all your users on a different vlan.
I hope this helps
- I agree with fmonroy, DHCP should be enough. An other option, if you have a good L3 switch, is to have your servers on one vlan which will be present in the computer room only and all your users on a different vlan.
I hope this helps
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
DHCP is not enought because someone can enter their own laptop and connect anywhere on the LAN and change their address easyly.
Then if they set an static IP this will make a duplicate IP.
For corporate reasons we can't change IP schemma, so the vlan can't be the solution.
I'm interested in 802.1x because we have more than 20 3Com manageable switches and this would be a great implementation project.
Last question: Can we implement 802.1x and let some "home" laptops not in doamin to connect to the LAN in some manner? or if we implement it, only domain computers will be able to connect?
Then if they set an static IP this will make a duplicate IP.
For corporate reasons we can't change IP schemma, so the vlan can't be the solution.
I'm interested in 802.1x because we have more than 20 3Com manageable switches and this would be a great implementation project.
Last question: Can we implement 802.1x and let some "home" laptops not in doamin to connect to the LAN in some manner? or if we implement it, only domain computers will be able to connect?
if you have user's who can plugin whatever device they want (laptop etc.), then you have to use a switch which relies on MACs of the client and only routes traffic it is a well known MAC
You will have to register "home" laptop in the domain and give them no rignts for the domain resources. I'm not sure if you can do it with Microsoft RADIUS, but in theory you can set it up so it will accept hosts which fail authentication and assign them a separate VLAN in separate range of IPs. Feel free to contact me for details regarding network part. Microsoft RADIUS is not my area. I can deal with RADIUS for *NIX.