IP management at data center.

Unanswered Question
Jun 24th, 2008
User Badges:


I have got a trouble with IP assignment for colo servers. Each server assigned public IP. However, I lost some public IPs belong to subnet due to my customer use more public IP for VPS service.

It's not easy to find out who used them consciously. Is it posible to fix IP on switch port or any proposal to solve it.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
mslavin Tue, 06/24/2008 - 03:37
User Badges:

Hi Tuyen,

I'm not quite sure what you are driving at, but it sounds like you want to find who is using certain IPs and how you can prevent them from using IP's that do not belong to them.

If this is correct, the following might help:

For finding out whare an IP is coming from, I usually use a combination of looking at ARP tables, finding the associated MAC table, then looking at MAC tables to trace back packet flows to the originating port.

Assuming we are talking Cisco switches and IOS, the following are some of the commands I would use:

"show arp" - Shows what MAC address is being used by what IP

"show mac-add dyn" - Shows what port that MAC address was learned on (and thus where the IP is coming from)

For example, I would probably start on the device acting as the default gateway and ping the IP in question (this is important to make sure that this device has fresh information in its tables). Assuming I received a ping response, I would then do a "show arp" and learn what the MAC address was for that IP. I would then go to the switch the default gateway is plugged in to (may actually be the default gateway itself in some cases) and run the command "show mac-add dyn" and find the MAC address in question. This would tell me what port it learned this MAC on. I would then trace the cable from this port. If it goes to an end device - you're done (you have found the offending device). If it goes to another switch, I would go to that other switch and repeat the "show mac-add dyn" command, and find out what port it learned the MAC from, and keep doing this until I get to the port that goes to the offending end device.

There are also management tools that can aid with this, but the above is usually the quickest way to get to the bottom of such issues in my own experiance.

For locking down what IP's a customer can use, there are many options, such as implementing ACLs on the ports to only permit certain IP source addresses from entering the network. Exactly what is available will depend on the vendor and model of switch, and in some cases, the revision of code on that switch. Assuming we are talking Cisco and IOS again, the following link provides some guidence on blocking and allowing certain IP addresses:


If you are uncomfortable with implementing this there are many consultants that would be willing to assist for a fee.

Hope this helps

Thanks, Matt

spt177 Tue, 06/24/2008 - 19:18
User Badges:

Hi, Matt

Thank you for your answer quickly. Following your way can identify who is using certain IP and complaint to them. However, I only detect it when i check to assign a new customer or see logging about confict IP. With thousands of colo servers, this discovery isn't found soon.

So i'm looking for a solution for the prevention. As your proposal, ACL can be used but only apply layer-3 interface but I'd like to limit IP at switch port (layer 2) connecting directly to Server. I tried with my access switches (Cat 6509 with sup2) but not supported but with Cat3550 is good.

Please give me more advices

Thanks a lot.

spt177 Mon, 07/07/2008 - 00:21
User Badges:


Thanks for your proposal. It's very great and able to solve my issue. But i'm wondering that

- Can it imfluence the performence of device (switch) when appled ?

- Is the technique used popular in data center?

Can share with me for your experience?

Thanks a lot.


This Discussion