• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1919
  • Last Modified:

Duplicate IP on the LAN

He have a problem in our almost 100 desktop PC and 10 servers LAN.
Someone or something changed it's IP to a server's IP and LAN has become crazy.
We have found the zone where this Network card (wired or wireless) is by plugging and unplugging cables from switches and testing LAN performance.
When we plugged a switch cable off (that cascades from other remote switches) the LAN stabilized and we think that the duplicated IP is there.

Our preocupation is: How can we prevent that some device can use a server (or desktop) used IP?
All domain PC has non admin rights and are not able to change it.
Witch is the security protocol for this cases? block traffic by mac on switches?

Only a brief description will be enought. Thanks
0
Mikkk
Asked:
Mikkk
1 Solution
 
Galtar99Commented:
Do you use DHCP?
0
 
fmonroyCommented:
Without the "malicious users" point of view a DHCP server is enough to prevent this problem.

If you want to protect from users that can, on purpose or not, change the IP a managed switch can do the work, most of them can detect this problems and you can set an alarm or set it to shutdown the port automatically.
0
 
netnounoursCommented:
-. Find your culprit looking at the arp and mac tables in your switches (like that mac is known thru port 4/1, etc. until you get it).

- I agree with fmonroy, DHCP should be enough. An other option, if you have a good L3 switch, is to have your servers on one vlan which will be present in the computer room only and all your users on a different vlan.

I hope this helps

0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
tvman_odCommented:
802.1x authentication. Switch will allow to connect authenticated hosts only regardless of it's MAC address. Microsoft AD and their RADIUS server work pertectly fine with this technology. Switch should be capable of processing and relaying authentication requests.
0
 
MikkkAuthor Commented:
DHCP is not enought because someone can enter their own laptop and connect anywhere on the LAN and change their address easyly.
Then if they set an static IP this will make a duplicate IP.
For corporate reasons we can't change IP schemma, so the vlan can't be the solution.

I'm interested in 802.1x because we have more than 20 3Com manageable switches and this would be a great implementation project.

Last question: Can we implement 802.1x and let some "home" laptops not in doamin to connect to the LAN in some manner? or if we implement it, only domain computers will be able to connect?
0
 
ahoffmannCommented:
if you have user's who can plugin whatever device they want (laptop etc.), then you have to use a switch which relies on MACs of the client and only routes traffic it is a well known MAC
0
 
tvman_odCommented:
You will have to register "home" laptop in the domain and give them no rignts for the domain resources. I'm not sure if you can do it with Microsoft RADIUS, but in theory you can set it up so it will accept hosts which fail authentication and assign them a separate VLAN in separate range of IPs. Feel free to contact me for details regarding network part. Microsoft RADIUS is not my area. I can deal with RADIUS for *NIX.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now