Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

IP management at data center.

Hi,

I have got a trouble with IP assignment for colo servers. Each server assigned public IP. However, I lost some public IPs belong to subnet due to my customer use more public IP for VPS service.

It's not easy to find out who used them consciously. Is it posible to fix IP on switch port or any proposal to solve it.

Thanks in advance.

4 REPLIES
New Member

Re: IP management at data center.

Hi Tuyen,

I'm not quite sure what you are driving at, but it sounds like you want to find who is using certain IPs and how you can prevent them from using IP's that do not belong to them.

If this is correct, the following might help:

For finding out whare an IP is coming from, I usually use a combination of looking at ARP tables, finding the associated MAC table, then looking at MAC tables to trace back packet flows to the originating port.

Assuming we are talking Cisco switches and IOS, the following are some of the commands I would use:

"show arp" - Shows what MAC address is being used by what IP

"show mac-add dyn" - Shows what port that MAC address was learned on (and thus where the IP is coming from)

For example, I would probably start on the device acting as the default gateway and ping the IP in question (this is important to make sure that this device has fresh information in its tables). Assuming I received a ping response, I would then do a "show arp" and learn what the MAC address was for that IP. I would then go to the switch the default gateway is plugged in to (may actually be the default gateway itself in some cases) and run the command "show mac-add dyn" and find the MAC address in question. This would tell me what port it learned this MAC on. I would then trace the cable from this port. If it goes to an end device - you're done (you have found the offending device). If it goes to another switch, I would go to that other switch and repeat the "show mac-add dyn" command, and find out what port it learned the MAC from, and keep doing this until I get to the port that goes to the offending end device.

There are also management tools that can aid with this, but the above is usually the quickest way to get to the bottom of such issues in my own experiance.

For locking down what IP's a customer can use, there are many options, such as implementing ACLs on the ports to only permit certain IP source addresses from entering the network. Exactly what is available will depend on the vendor and model of switch, and in some cases, the revision of code on that switch. Assuming we are talking Cisco and IOS again, the following link provides some guidence on blocking and allowing certain IP addresses:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

If you are uncomfortable with implementing this there are many consultants that would be willing to assist for a fee.

Hope this helps

Thanks, Matt

New Member

Re: IP management at data center.

Hi, Matt

Thank you for your answer quickly. Following your way can identify who is using certain IP and complaint to them. However, I only detect it when i check to assign a new customer or see logging about confict IP. With thousands of colo servers, this discovery isn't found soon.

So i'm looking for a solution for the prevention. As your proposal, ACL can be used but only apply layer-3 interface but I'd like to limit IP at switch port (layer 2) connecting directly to Server. I tried with my access switches (Cat 6509 with sup2) but not supported but with Cat3550 is good.

Please give me more advices

Thanks a lot.

Silver

Re: IP management at data center.

Hello,

If you are looking to manually define what IP addresses are allowed to talk on a Layer2 switch port then your answer is IP Source Guard:

http://cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.html

Hope this helps,

Brad

New Member

Re: IP management at data center.

Hi,

Thanks for your proposal. It's very great and able to solve my issue. But i'm wondering that

- Can it imfluence the performence of device (switch) when appled ?

- Is the technique used popular in data center?

Can share with me for your experience?

Thanks a lot.

226
Views
3
Helpful
4
Replies
СоздатьДля создания публикации, пожалуйста в систему