Re: Ip Conflict Resolver

From: Huan Pham (pnhuan@yahoo.com)
Date: Thu Nov 20 2008 - 09:18:13 ARST

• Next message: shoaibmohammad@hotmail.com: "test"
• Previous message: Darby Weaver: "Re: Ip Conflict Resolver"
• Maybe in reply to: Mark Stephanus Chandra: "Ip Conflict Resolver"
• Next in thread: Rik Guyler: "RE: Ip Conflict Resolver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think Dynamic ARP Inspection is what you need ....

Catalyst 3560 Switch Software Configuration Guide, Rel. 12.2(46)SE
Configuring Dynamic ARP Inspection
 
 
Dynamic ARP inspection is a security feature that validates ARP packets in a
network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC
address bindings. This capability protects the network from certain
man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are
relayed. The switch performs these activities:
Intercepts all ARP requests and responses on untrusted ports
Verifies that each of these intercepted packets has a valid IP-to-MAC address
binding before updating the local ARP cache or before forwarding the packet to
the appropriate destination
Drops invalid ARP packets
 
Dynamic ARP inspection determines the validity of an ARP packet based on valid
IP-to-MAC address bindings stored in a trusted database, the DHCP snooping
binding database. This database is built by DHCP snooping if DHCP snooping is
enabled on the VLANs and on the switch. If the ARP packet is received on a
trusted interface, the switch forwards the packet without any checks. On
untrusted interfaces, the switch forwards the packet only if it is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp
inspection vlan vlan-range global configuration command. For configuration
information, see the "Configuring Dynamic ARP Inspection in DHCP Environments"
section.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets
against user-configured ARP access control lists (ACLs) for hosts with
statically configured IP addresses. You define an ARP ACL by using the arp
access-list acl-name global configuration command. For configuration
information, see the "Configuring ARP ACLs for Non-DHCP Environments" section.
The switch logs dropped packets. For more information about the log buffer,
see the "Logging of Dropped Packets" section.
 
e.g.

Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# no ip arp inspection trust

--- On Thu, 11/20/08, Mark Stephanus Chandra <mark.chandra@gmail.com> wrote:

From: Mark Stephanus Chandra <mark.chandra@gmail.com>
Subject: Ip Conflict Resolver
To: ccielab@groupstudy.com
Date: Thursday, November 20, 2008, 9:22 PM

Guys,

It's kinda out of topic from ccie lab,

but I just wondering after googling several times, I still cannot find the
solution.

So the problem is , In My company, we use static ip to connect to LAN. But
the problem is, a lot of ip conflict in the network and unfortunately,
sometimes there are users using my President Director IP Address.

So, that make world war 3 in my office :)

So I've got called to resolve this problem. Any suggestion ?

Regards

Mark Stephanus Chandra
IT Consultant

Blogs and organic groups at http://www.ccie.net

• Next message: shoaibmohammad@hotmail.com: "test"
• Previous message: Darby Weaver: "Re: Ip Conflict Resolver"
• Maybe in reply to: Mark Stephanus Chandra: "Ip Conflict Resolver"
• Next in thread: Rik Guyler: "RE: Ip Conflict Resolver"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST