Hi, what I want to solve is this:

I have some VLANS that are used for servers and users. Have a range of static IPs and a range of DHCP. In some cases I have had the problem that users take an IP of the static range and they configure it on a host, so I have IP conflicts. So, what I need is somehow to link the server´s MAC address with its static IP, then when a user wants to use a static IP that already belongs to a server, it is impossible to use it.

Thanks

Hi sguerrero,

You have a VLAN that houses your servers and users. Then you have a range of DHCP addresses and a range of static addresses. Some users have taken it upon themselves to configure static IP addresses that conflict with your servers reservations. I had this exact problem about 2 years ago when I took over a small remote network.

Here are my suggeestions and lessons learned:

1) Do your users need permission to configure their own IP addresses?

You should prevent users from configuring their own static IP's on the workstations based on user permissions and rights. In WIN2000 it is done through user manager or with a security policy. Given the recent (?) problem with your servers and IP conflicts I would prevent any users from doing this in the future. I would then make sure the "orginizational security policy" (if you don't have one create one) prevented this from occuring again.

Justification: Without this restriction any user can initiate a Denial of Service attack against the network by accident. It is also a bad security practice.

2) Do your access switches support Access-list (ACL)security? (2950, 3500 etc)

If yes, you can create an ACL which only allows traffic from a select range of host IP's. This could be your DHCP scope. Apply the ACL inbound from the user ports.

3) Do your hosts always plug into the same port on the switch or do they move offices frequently?

As an added security feature you can use the "port secure" command which only allows a specified MAC address to access a given switch port. If you apply port secure and the host MAC tries to access another port, the switch will shutdown the port preventing unauthorized access.

4) Do your users and the servers need to be on the same VLAN?

You could also create a new VLAN for your users. Then create a gateway address (could be virtual or a subinterface) on a distrubution point, layer 3 switch or router. Then apply the ACL to the gateway interface. All hosts will go through the gateway to access the server VLAN limiting the potential of another IP conflict with the servers.

Summary:

There are a number of additional security features you can use. The hard part is balancing security practices with productivity, compatibility and ease of use. If you have one I highly recommend you start creating a good security policy today. If you would like further information or help on anything mentioned above just ask.

R/S

Dave