If your critical servers are in there own subnet/VLAN, this is a natural
barrier to even a misconfigured static. A client pc can't speak to a router
not on its own subnet, therefore is forced to maintain any topology you
devise. (i.e. the answer is strict addressing rules, and hierarchical
designing) However there still isn't a good way to limit someone from using
the address of the gateway statically and creating a mess. One solution I
came up with is to write a custom application to send an arp probe every so
often. If any MAC (both cases of the term) other than your router responds
to the arp, have that port shut down via SNMP or a telnet script on your
switch. Depending on your topology this may affect only 1 or possibly
several client machines, but at least the whole VLAN will not be blocked out
of the zone. It depends on your resolve, but truly anything can be
accomplished with computers. Don't take NO for an answer.
WAYNE A. BAETY, A1C, MCSE, USAF
18th Communications Squadron/SCBX
632-6211
-----Original Message-----
From: dan snyder [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 10:23 AM
To: [EMAIL PROTECTED]
Subject: Re: Avoiding IP conflicts in a MULTI-VLAN environment [7:16470]
as long as there are others that have the ability to connect workstations or
servers to your network, the potential is there for address conflicts. we
eliminate these by the users requesting addresses and to have server (or
workstation) patched into the network. it is more work initially, but in
the long run creates audit trails and prevents unauthorized ip address
assignments. good luck.
>From: "Kevin Wigle"
>Reply-To: "Kevin Wigle"
>To: [EMAIL PROTECTED]
>Subject: Re: Avoiding IP conflicts in a MULTI-VLAN environment [7:16470]
>Date: Sat, 18 Aug 2001 17:26:36 -0400
>
>It depends on the kind of environment you have and how much control you
>have - that is to say, do people who break the rules get in trouble or just
>get their hands slapped? (or nothing....)
>
>Anyway, DHCP will definitely fix this problem but only if users don't
>change
>the IP configuration on their PCs from DHCP to static.
>
>I once worked in an environment that consisted of 10 floors of "engineers".
>We got IP conflicts all the time because people didn't want to go through
>the process of asking for an address - especially if they thought they
>needed it only for a little while to test something out. At the time we
>were using static addressing which was handed out by a bootp server
>
>Once we installed switches and HP Openview and implemented DHCP, we could
>track down the offenders fairly quickly and then yank their connection (or
>shut the port) and wait for the phone to ring. After awhile, the
>"engineers" finally figured out that we could catch them and things cooled
>down. Also, because the DHCP pools had enough addresses to handle
>temporary
>requirements.
>
>I haven't heard about the issue about greater ARP version. Usually whoever
>has the address first wins and the second PC to attempt the address loses.
>Usually an error is reported back on the second PC with the MAC address of
>the PC that has the address already - which can be traced.
>
>Good user policies that are enforced and DHCP should prevent IP conflict
>problems.
>
>
>Kevin Wigle
>
>
>----- Original Message -----
>From: "Hamid Ali Asgari"
>To:
>Sent: Saturday, 18 August, 2001 15:22
>Subject: Avoiding IP conflicts in a MULTI-VLAN environment [7:16470]
>
>
> > Hi group
> >
> > I am setting up a network with some NT4 servers, a Catalyst 2948 switch
>,
> > and a 7204 VXR router and some access servers. The network consists of
>7
> > VLANs, and all the servers and routers are on multi-VLAN or TRUNK
>interfaces
> > on the switch. The LAN consists of many computers with different
>operating
> > systems such as UNIX, LINUX and Win2k. Lots of computers that will be
> > connected to this LAN are laptops so I can't implement PORT SECURITY on
>the
> > Catalyst.
> >
> > The problem is that I want to prevent my clients to make IP Conflicts in
>my
> > network. Correct me if I am wrong, but someone had told me that when an
>IP
> > conflict occurs , the computer with the greater ARP version wins (or
> > something like that !), so the RED HAT 7.1 LINUX operating systems would
> > take down my NT servers.
> >
> > Any ideas or soloutions how I could prevent these conflicts?
> >
> > Thanks in advance
> >
> > Hamid
> >
> >
> >
> >
> >
> >
> >
> >
> > ---------------------------------
> > Do You Yahoo!?
> > Make international calls for as low as $0.04/minute with Yahoo!
>Messenger.
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16626&t=16470
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
