Control duplicated IP

redcoruna · ‎05-26-2008

Hello,

We assign ip of form static to any equipment of our network. The issue is when someone sets a ip of other server, it can cause collision of the packets and down conection.

I thought a solution, if will create a ACL by each port as the following:

ip access-list standard IP-f0/1

permit host 192.168.1.2

deny any

interface f0/1

ip access-group IP-f0/1 in

With this configuration only can assign the IP 192.168.1.2 to any equipment aggregated to f0/1. do you think that it can be the solution?

Regards.

Edison Ortiz · ‎05-26-2008

That may be a solution but way too cumbersome and requires a lot of administrative work.

How about using DHCP with IP Address reservations or static mappings. You can then deploy DHCP snooping with IP Source Guard.

This option is more scalable and requires less administrative work in the switches.

The following is some reading documentation from the 3560 Series:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdhcp82.html#wp1138804

HTH,

__

Edison.

Giuseppe Larosa · ‎05-26-2008

Hello,

I agree with Edison, it is so easy to swap two LAN cables during maintenance work and if someone does it you have two servers isolated ! And it is not scalable.

With a DHCP server the new host can get its IP address dynamically and then you can associate this IP address to the host's NIC MAC address (a reservation).

With DHCP snooping and IP source guard you protect your network from some possible attacks and you get dynamically a binding of an IP address and the switch port where the host's NIC is connected.

Best Regards

Giuseppe