Duplicate IP on the LAN

Posted on 2007-10-02
Last Modified: 2008-01-09
He have a problem in our almost 100 desktop PC and 10 servers LAN.
Someone or something changed it's IP to a server's IP and LAN has become crazy.
We have found the zone where this Network card (wired or wireless) is by plugging and unplugging cables from switches and testing LAN performance.
When we plugged a switch cable off (that cascades from other remote switches) the LAN stabilized and we think that the duplicated IP is there.

Our preocupation is: How can we prevent that some device can use a server (or desktop) used IP?
All domain PC has non admin rights and are not able to change it.
Witch is the security protocol for this cases? block traffic by mac on switches?

Only a brief description will be enought. Thanks
Question by:Mikkk
    LVL 6

    Expert Comment

    Do you use DHCP?
    LVL 5

    Expert Comment

    Without the "malicious users" point of view a DHCP server is enough to prevent this problem.

    If you want to protect from users that can, on purpose or not, change the IP a managed switch can do the work, most of them can detect this problems and you can set an alarm or set it to shutdown the port automatically.
    LVL 6

    Expert Comment

    -. Find your culprit looking at the arp and mac tables in your switches (like that mac is known thru port 4/1, etc. until you get it).

    - I agree with fmonroy, DHCP should be enough. An other option, if you have a good L3 switch, is to have your servers on one vlan which will be present in the computer room only and all your users on a different vlan.

    I hope this helps

    LVL 11

    Accepted Solution

    802.1x authentication. Switch will allow to connect authenticated hosts only regardless of it's MAC address. Microsoft AD and their RADIUS server work pertectly fine with this technology. Switch should be capable of processing and relaying authentication requests.
    LVL 8

    Author Comment

    DHCP is not enought because someone can enter their own laptop and connect anywhere on the LAN and change their address easyly.
    Then if they set an static IP this will make a duplicate IP.
    For corporate reasons we can't change IP schemma, so the vlan can't be the solution.

    I'm interested in 802.1x because we have more than 20 3Com manageable switches and this would be a great implementation project.

    Last question: Can we implement 802.1x and let some "home" laptops not in doamin to connect to the LAN in some manner? or if we implement it, only domain computers will be able to connect?
    LVL 51

    Expert Comment

    if you have user's who can plugin whatever device they want (laptop etc.), then you have to use a switch which relies on MACs of the client and only routes traffic it is a well known MAC
    LVL 11

    Expert Comment

    You will have to register "home" laptop in the domain and give them no rignts for the domain resources. I'm not sure if you can do it with Microsoft RADIUS, but in theory you can set it up so it will accept hosts which fail authentication and assign them a separate VLAN in separate range of IPs. Feel free to contact me for details regarding network part. Microsoft RADIUS is not my area. I can deal with RADIUS for *NIX.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Most people are under the false impression that installing an antivirus package, antispyware package, OS updates/security patches, and firewall are all you need to secure your network resources. Those methods are a good start, but leaves your networ…
    A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now