Secure Layer 3 Gateway & HSRP in 6500

Unanswered Question
Mar 12th, 2008
User Badges:

Hi,


We have two 6500 with Sup 720 and running HSRP backing up each other. BDF and IDF switches are Catalyst 3750 or 2960. Currently we are experiencing some user static hard coded their workstation ip to be one of our HSRP ip address. After workstation static assigned their IP to HSRP address, the core start log dup. IP and users start experiencing network outage. I wondering if anyone have any suggestion on how to secure their Layer 3 IP?


Thanks,


J

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lamav Wed, 03/12/2008 - 17:47
User Badges:
  • Blue, 1500 points or more

What do you mean how to secure their layer 3 IP?


The first thing you have to do is get this guy's PC off your network. Then you smack him upside his head for being stupid.


After that, I'm lost. What are you trying to accomplish?


Victor





jayshihlin Wed, 03/12/2008 - 21:17
User Badges:

One of user change computer IP from dhcp client to static ip. Unfortunate user use one of HSRP address and 6500 start log duplicated IP in syslog. Because of this issue a lot of workstations in the same network start use offended workstation's MAC as gateway MAC. I just wondering if anyone have any suggestion in network side to prevent this happen?


Thanks,


J

jayshihlin Wed, 03/12/2008 - 21:55
User Badges:

Thanks for suggestion. I do have Port-security and dhcp snooping implemented. However, it does not stop user from been static assigned its own IP. I think DAI will stop static assigned IP but I have few hundreds servers' mac that I will need to distributed throughout the campus and limiting users change NIC or switch ports is kind of pain for both user and us... I wonder anyone had done it differently?


Thanks


J

Jon Marshall Thu, 03/13/2008 - 01:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi J


Not actually a Cisco solution but here at where i work we run XP on the desktop and we lock down users PC's so that they cannot change their IP address. If you give the users permissions on their laptops to change things, load software etc. then no matter how many security features on the switches you enable you are still asking for trouble to be honest.


HTH


Jon

Actions

This Discussion