Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Secure Layer 3 Gateway & HSRP in 6500

Hi,

We have two 6500 with Sup 720 and running HSRP backing up each other. BDF and IDF switches are Catalyst 3750 or 2960. Currently we are experiencing some user static hard coded their workstation ip to be one of our HSRP ip address. After workstation static assigned their IP to HSRP address, the core start log dup. IP and users start experiencing network outage. I wondering if anyone have any suggestion on how to secure their Layer 3 IP?

Thanks,

J

5 REPLIES
Blue

Re: Secure Layer 3 Gateway & HSRP in 6500

What do you mean how to secure their layer 3 IP?

The first thing you have to do is get this guy's PC off your network. Then you smack him upside his head for being stupid.

After that, I'm lost. What are you trying to accomplish?

Victor

New Member

Re: Secure Layer 3 Gateway & HSRP in 6500

One of user change computer IP from dhcp client to static ip. Unfortunate user use one of HSRP address and 6500 start log duplicated IP in syslog. Because of this issue a lot of workstations in the same network start use offended workstation's MAC as gateway MAC. I just wondering if anyone have any suggestion in network side to prevent this happen?

Thanks,

J

Re: Secure Layer 3 Gateway & HSRP in 6500

L2 hardening should do the trick. Implement Port-security, DHCP Snooping, and Dynamic Arp Inspection.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/prod_white_paper0900aecd80339c2d.pdf pg 17

New Member

Re: Secure Layer 3 Gateway & HSRP in 6500

Thanks for suggestion. I do have Port-security and dhcp snooping implemented. However, it does not stop user from been static assigned its own IP. I think DAI will stop static assigned IP but I have few hundreds servers' mac that I will need to distributed throughout the campus and limiting users change NIC or switch ports is kind of pain for both user and us... I wonder anyone had done it differently?

Thanks

J

Hall of Fame Super Blue

Re: Secure Layer 3 Gateway & HSRP in 6500

Hi J

Not actually a Cisco solution but here at where i work we run XP on the desktop and we lock down users PC's so that they cannot change their IP address. If you give the users permissions on their laptops to change things, load software etc. then no matter how many security features on the switches you enable you are still asking for trouble to be honest.

HTH

Jon

144
Views
0
Helpful
5
Replies