08-18-2019 10:19 PM
We are facing a bit of an issue. What have several servers, and what we want is to prevent one from stealing the IP of another server, but without learning the MAC address of the machine, in case if there are virtual machines running on the server.
I was told the IP Source guard would be an option, but that saves the MAC address on the port, and it would be impossible to manage in case of a new VM is created with a random mac.
So we need something simple, like Gi0/0/1 is allowed to use IP of 10.0.0.1 and so on, without binding or learning any MAC addresses.
If anyone has done anything like this, some help would be appreciated!
Thank you!
08-18-2019 11:46 PM
Hi there,
Sounds like a good case for 'DHCP Server Port-Based Address Allocation' :
cheers,
Seb.
08-18-2019 11:51 PM
- As stated by Seb in a slightly different way ; this should never be a problem and or it should be resolved by solid managerial procedures , implemented by a Network Authority. In practice the network Authority can for instance use DHCP to make sure that always unique addresses are allocated (but in theory other solutions are possible too).
M.
08-19-2019 11:20 AM
So the problem is that we have no DHCP service on this network. All addresses assigned manually, and they need to be configured on each server manually.
08-19-2019 12:11 AM
Hello Datacraft,
the feature suggested by Sep is good only if you need only a single IP address out a switch port.
You have written about possible use of virtual machines on your environment.
all of them will use a different MAC address and a different IP address and are seen via a single port on the switch.
So I have some doubts that the suggested feature created for industrial ethernet environment is good for your scenario. It does not allow multiple VMs out the same port to get a different IP address as the feature inserts the switch port name in the client id in DHCP requests.
I agree with Marce1000 that appropriate management of DHCP servers and pools should avoid the issue you would like to solve.
Hope to help
Giuseppe
08-19-2019 11:21 AM
But we have no DHCP service on this part of a network. Every address is assigned manually to the servers.
08-19-2019 12:06 PM
Hello Datacraft,
how many servers are involved ?
In any case there are IP manager tools that you can use to track the usage of single IP addresses and subnets where you can keep a record of the IP address, hostname and may be additional notes.
All your colleagues should use the tool to track any change (add of a new server / dismission of a server).
A cheap solution is to use an Excel file with multiple sheets one for each subnet stored on a share, where you can manually list the above information IP address, hostname, switch and port , project or contact, the name of the person that inserted the entry, the entry date and so on.
Trying to ping a new address before putting on the Excel or IP manager tool is duty of your working group.
This way you can deal with manual assignment of IP addresses to servers if they are not too many (less then 1000).
To be noted with DHCP you can use reservations to make the same IP address to be assigned to a specific MAC address of the NIC of a server.
This does not need to be changed until you need to replace the server or the server's NIC.
Hope to help
Giuseppe
08-19-2019 03:12 PM
08-19-2019 11:34 PM
Hello Datacraft,
without DHCP enabled I can only think of using a Port based ACL on each port.
an IP access-list allowing only traffic from the specified host address without examining MAC address.
IP source guard or Dynamic ARP Inspection can be used without a DHCP server creating manual entries but they also look at the MAC address.
But it can be too heavy to manage. .
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide