From: Mark Stephanus Chandra (mark.chandra@gmail.com)
Date: Thu Nov 20 2008 - 11:33:26 ARST
Thanks a lot guys,
This is really helpful, This is the best mailing list ever :)
Thanks for sharing
Regards
Mark Stephanus Chandra
IT Consultant
From: Huan Pham [mailto:pnhuan@yahoo.com]
Sent: 20 Nopember 2008 18:18
To: ccielab@groupstudy.com; Mark Stephanus Chandra
Subject: Re: Ip Conflict Resolver
I think Dynamic ARP Inspection is what you need ....
Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)SE
Configuring Dynamic ARP Inspection
Dynamic ARP inspection is a security feature that validates ARP packets in a
network. It intercepts, logs, and discards ARP packets with invalid
IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses
are relayed. The switch performs these activities:
.Intercepts all ARP requests and responses on untrusted ports
.Verifies that each of these intercepted packets has a valid IP-to-MAC
address binding before updating the local ARP cache or before forwarding the
packet to the appropriate destination
.Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on
valid IP-to-MAC address bindings stored in a trusted database, the DHCP
snooping binding database. This database is built by DHCP snooping if DHCP
snooping is enabled on the VLANs and on the switch. If the ARP packet is
received on a trusted interface, the switch forwards the packet without any
checks. On untrusted interfaces, the switch forwards the packet only if it
is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp
inspection vlan vlan-range global configuration command. For configuration
information, see the "Configuring Dynamic ARP Inspection in DHCP
Environments" section.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets
against user-configured ARP access control lists (ACLs) for hosts with
statically configured IP addresses. You define an ARP ACL by using the arp
access-list acl-name global configuration command. For configuration
information, see the "Configuring ARP ACLs for Non-DHCP Environments"
section. The switch logs dropped packets. For more information about the log
buffer, see the "Logging of Dropped Packets" section.
e.g.
Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# no ip arp inspection trust
--- On Thu, 11/20/08, Mark Stephanus Chandra <mark.chandra@gmail.com> wrote:
From: Mark Stephanus Chandra <mark.chandra@gmail.com>
Subject: Ip Conflict Resolver
To: ccielab@groupstudy.com
Date: Thursday, November 20, 2008, 9:22 PM
Guys,
It's kinda out of topic from ccie lab,
but I just wondering after googling several times, I still cannot find the
solution.
So the problem is , In My company, we use static ip to connect to LAN. But
the problem is, a lot of ip conflict in the network and unfortunately,
sometimes there are users using my President Director IP Address.
So, that make world war 3 in my office :)
So I've got called to resolve this problem. Any suggestion ?
Regards
Mark Stephanus Chandra
IT Consultant
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST