We have two 6500 with Sup 720 and running HSRP backing up each other. BDF and IDF switches are Catalyst 3750 or 2960. Currently we are experiencing some user static hard coded their workstation ip to be one of our HSRP ip address. After workstation static assigned their IP to HSRP address, the core start log dup. IP and users start experiencing network outage. I wondering if anyone have any suggestion on how to secure their Layer 3 IP?
One of user change computer IP from dhcp client to static ip. Unfortunate user use one of HSRP address and 6500 start log duplicated IP in syslog. Because of this issue a lot of workstations in the same network start use offended workstation's MAC as gateway MAC. I just wondering if anyone have any suggestion in network side to prevent this happen?
Thanks for suggestion. I do have Port-security and dhcp snooping implemented. However, it does not stop user from been static assigned its own IP. I think DAI will stop static assigned IP but I have few hundreds servers' mac that I will need to distributed throughout the campus and limiting users change NIC or switch ports is kind of pain for both user and us... I wonder anyone had done it differently?
Not actually a Cisco solution but here at where i work we run XP on the desktop and we lock down users PC's so that they cannot change their IP address. If you give the users permissions on their laptops to change things, load software etc. then no matter how many security features on the switches you enable you are still asking for trouble to be honest.
HTH
Jon
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
