IP conflict ?

Dears

In my network, I have a team of users for whom I gave a range of IPs so that they can do their own experiments. (they mainly work with PLCs in a production plant).

My problem is that sometimes they enter an IP in the wrong range and this brings my network down ! How do I prevent this ?
They need to be able to attribute an IP for their machines (that must be in the same subnet as my network), but if they enter a wrong IP (a server IP) then that server is down due to duplicate IP on the network.

Is there a way to make this resilient ? How ?

Thanks
Pierre AmmounIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William MillerInventory/IT ConsultantCommented:
Is there a need for them to be able to set their own IPs? I noticed you mentioned an experimental setting, but does the IP being static conflict with that?
0
Pierre AmmounIT ConsultantAuthor Commented:
They do test different PLCs and I gave them a range (192.168.0.50--192.168.0.75).

Unfortunately, sometimes they enter 192.168.0.7 or 192.168.0.5 (anything from 192.168.0.1-->192.168.0.9 are my servers).
0
William MillerInventory/IT ConsultantCommented:
Easiest thing to do might be just to give them a quick rundown on what they should and shouldn't use, or even a short printout that they could post in their space. If they have to be on the same subnet and can't use static addresses, it might be the easiest solution. Sounds to me like human error when they're inputting these addresses from time to time as .7 and .5 are easily mistyped when the range begins and ends with .50 and .75. Might also be possible that changing their allowed range could also help as there's less chance for human error to interrupt a server.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Pierre AmmounIT ConsultantAuthor Commented:
You are right, yet my question is broader than this.. Is there a way to make the system resilient ?
What I mean to say , is that anyone who has a laptop and configures it to take a server IP will disrupt the network  ? is things are that fragile ?
0
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Things are normally that fragile.

You can prevent this with features like DHCP snooping and dynamic ARP inspection in your network switches, if they support those features.
0
Pierre AmmounIT ConsultantAuthor Commented:
DHCP snooping and dynamic ARP inspection
I would appreciate some more info on this.. Maybe links ?

Thanks
0
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
0
William MillerInventory/IT ConsultantCommented:
Do you have DHCP Reservation in your system? What is the configuration of your physical devices? You can always just reserve the server addresses for the servers.
0
d0ughb0yPresident / CEOCommented:
The simplest thing to do, if possible, would be to give them their own, experimental LAN. Get a small, cheap router, and set it up with the network you want them to use. Don't give them access to the router itself, Then just have them always do their experimental work within that network, only. It doesn't matter what they do, then. All their traffic is segmented away from the main LAN. And anything coming out of their little router is NAT'd within the appropriate range.

In a similar, but different vein, if your main router supports it, you can set up a separate network for them to use there.
0
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
@william Even with reservation of server addresses you will still have the risk that those users manually picks the server addresses and assigns them to their computers.
0
Fred MarshallPrincipalCommented:
I don't see where you said that you cannot use DHCP.  Is that just inherent in those devices?
1
William MillerInventory/IT ConsultantCommented:
The most straightforward way to solve the issue is to not allow your users to configure their own IP addresses. I'm not sure I understand how this effects their ability to connect to a device within the same network. A static IP (or lack their of) shouldn't effect this one way or the other so long as both devices are in the same scope.
0
Tom CieslikIT EngineerCommented:
If you need to use same subdomain, it's hard to accomplish since they can always put same IP you're using.
I thin it would be better if you will setup separate subnet for them with same gateway so they'll have access to internet but they're IP will be different, otherwise you need to instruct them to PING addresses they wan to assign and check if they are occupied before assigning
0
masnrockCommented:
Create a separate VLAN, that way there's a totally different address space for them to test with. And also prevent that VLAN from communicating with the main one. Somehow, I'm sure that a number of people here have already suggested at least a portion of this (namely having a different IP address space). You cannot protect systems from IP address conflicts that are on the exact same network as far as static addresses go... if 2 systems have the same static address, that's always going to be a problem. That's a risk you have to figure out your willingness to deal with. If someone sets a static address that's in the DHCP pool (and that address is leased at the time), it's going to cause issues as well. And if it's happening that much, that's a major concern in and of itself.
1
mbkitmgrCommented:
  1. Change the machines to DHCP
  2. Allow them to pick up an IP address
  3. Reserve the address in DHCP
  4. Tell the Dev teams the IP's assigned to their machines
0
Pierre AmmounIT ConsultantAuthor Commented:
And if they enter a wrong IP they mess up my network...
Still not helping my case...😱
0
mbkitmgrCommented:
Add say 5 IP's for their exclusive use.  Surely their not that incompetent
0
masnrockCommented:
Set the IP yourself. There's nothing you can do about the situation if you're saying the systems MUST be in the same network. Otherwise, use the suggestion of reservations in DHCP, but that assumes said systems support DHCP. Additionally, you're always going to have to know the MAC addresses of any device they're experimenting with.

You're clearly complaining about the rate of error with these people. And it sounds significant. They either shouldn't be allowed to do it or you need to find a way to introduce a level of separation. If you're currently operating with the corporate and production networks as one, you definitely should be going the segregation route with VLANs anyway. Is there anything on the corporate side that the production equipment actually needs access to?

@mbkitmgr - Apparently they are. The author has already provided those people 26 addresses, but they keep making mistakes in typing in their IP addresses, which is how this mess occurred.
0
Fred MarshallPrincipalCommented:
It may be helpful to review the system capabilities and constraints - I've read everything here and don't necessarily find the answers.  Having the answers may help you:

1) Why are the PLC experiments being done on the same subnet as the main network?  Is this necessary?  Why?
2) Do the PLCs accept addresses via DHCP?  Could a judicious selection of PLCs be suitable for the work AND accept DHCP addresses?
If not, why not?
3) Can PLC MAC address DHCP IP assignments work in this situation?  If not, why not?
There are probably other such questions but these are a good start.

Also, it appears that there is a lot of good information on the industrial controls side.  Google "do plcs normally use dhcp service?"
Here's a typical hit:
https://rockwellautomation.custhelp.com/ci/fattach/get/8311/1164808462
It may be that BOOTP is more typical from the hits that I saw.

Might one assume that you aren't the PLC expert and the PLC experts aren't network experts?
Maybe a good time to get your heads together to solve this problem once and for all as it *may not* be solvable purely from a networking architecture perspective.
But, a joint solution may well be possible.
1
Tom CieslikIT EngineerCommented:
I think the only one option you have is installing a ROUTER between your LAN network , setup different IP Subnet, and set One-to-Many NAT (SNAT).

This will help them connect to your network and communicate with your network devices from PLCs but as they will work in different subnet, they will not mess-up your network.
All you need to do is find a good Router with One-To-Many NAT (SNAT) option
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Miscellaneous

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.