Re: Duplicate IP - block by hw mac

Krystians · ‎06-15-2021

How to avoid a human mistake, where the IP address of the key service was raised and then appeared a duplicate IP.
Is there some mechanism that keeps all MAC + IPs in the database. And if a duplicate ip appears will block it by mac address newly notified? on the basis of:

mac address-table static 3408.0499.981c vlan X drop

I would don't to block the entire interface because there are running multiple VMs on 1 physical server.
we do not use a DHCP server, each address is static configured manually by human.

I don't want to assign MAC to a specific port because VMs can migrate within several client switches (STATIC ARP + MAC ACL)

There is a utility like "Excel" that tells what IP addresses are free and which IP addresses are used.
unfortunately, not everyone is reading it carefully.. so we have to bring in a guard.

this may be (if any) an option in CISCO routers,
it may be an additional device (external cisco firewall, or any other vendor)
or at that moment have in my head only make script who would do these activities "manually" - or maybe someone has already done something like this?

Seb Rupik · ‎06-15-2021

Hi there,

Take a look at DHCP Snooping and IP Source Guard.

Create a DHCP scope with the correct IP-MAC bindings used as reservations. This will ensure your hosts always get the correct IP address. DHCP snooping will monitor this traffic and build a binding table of its own.

The IP source guard will use the DHCP Snooping table to verify that a particular source IP-MAC combination is valid and has been allocated via your trusted DHCP service. If an invalid combination is detected then the traffic is dropped. This will prevent hosts on the network assigning their own IP addresses and causing conflicts.

cheers,

Seb.

Krystians · ‎06-16-2021

Yes, great.. but i don't use DHCP for that part network.

That part of servers must have manually set up IP address, so how to protect from such a situation?

Seb Rupik · ‎06-16-2021

You can still use IPSG but use static bindings instead of relying on DHCP snooping:

!
ip source binding <mac-address> vlan <vlan-id> <ip-address> interface <interface-id>
!

https://www.cisco.com/c/en/us/td/docs/switches/lan/embedded/software/release/15_0_2_ec/configuration/guide/ess_2020_scg/swipsrc.pdf

cheers,

Seb.

Krystians · ‎06-17-2021

OK, fact.

Unfortunately, this forces me to add each VM, which raises a lot of reports from developers/junior admins/etc.. launching a new VM.

i would like something auto-discovery - it is possible?

Seb Rupik · ‎06-17-2021

The auto-discovery solution is where relying on the DHCP snooping database comes in.

What is the constraint that doesn't allow you to use DHCP on your VM host subnets?

Krystians · ‎07-14-2021

Sorry for late answer, lot of work pushed this subject into background.

because there are too many different virtual environments.

At the moment there are atlast 10,000 VMs. Starting with Hyper V and LXD ending with dockers and Kubernetes.

Each VM have MAC addresses generated (which is obvious) - about 50 people from different departments just deploy new ones once a week, removing the old ones. Others are based on VRRP/VIP.. I am not able to catch it manually and add it to DHCP and everyone wants their VMs to have access to the network now.

without any mechanism such as a panel in which a person would add a new VM taking into account MAC (dynamic/static) and select a free IP address from the drop-down menu where would write it into the DHCP table - it will be difficult to maintain.

so far with the "old" employees there was no problem .. but new people came and the circuses begin.