ip address conflict still on after setting ARP static

Imran · January 27, 2011, 7:54am

Dear all,
i have set all mac address in static mode. But whenever any user turned off his computer other persons can easily use his ip . This thing also happen when the router is restarted though the MAC is still showing static mode.
Is there is any rules to avoid these unwanted user of same router who tries to use other user’s ip though the thief has his own ip and his mac is static in that router.

kirshteins · January 27, 2011, 8:09am

Do you have arp=disabled on that interface clients connect to?

Feklar · January 27, 2011, 2:50pm

If I’m reading your post right, this is not something that can be solved on the router itself. If the end user is spoofing the MAC and IP of another user to use their access, then it is something that needs to be solved on the layer2 network, before it ever even gets to the router. This is because the client machines can see each other on the network and gather the information they need to steal access. The router is just doing what a router does when it receives a legitimate packet for routing. It has no way of knowing who is the legitimate user and who is the one stealing access.

This means investing in hardware and using the features that will prevent clients from talking to each other over the network itself, client isolation on access points, and port isolation on switches at a minimum.

Imran · January 29, 2011, 5:56am

Feklar:

If I’m reading your post right, this is not something that can be solved on the router itself. If the end user is spoofing the MAC and IP of another user to use their access, then it is something that needs to be solved on the layer2 network, before it ever even gets to the router. This is because the client machines can see each other on the network and gather the information they need to steal access. The router is just doing what a router does when it receives a legitimate packet for routing. It has no way of knowing who is the legitimate user and who is the one stealing access.

This means investing in hardware and using the features that will prevent clients from talking to each other over the network itself, client isolation on access points, and port isolation on switches at a minimum.

Please give me some specific advise regarding the problem. you got the actual view what i supposed to say. i am attaching a general layout of the network regarding the problem.

Feklar · January 31, 2011, 2:53pm

The quickest way of doing it with your current setup is, put all of the ports on the Cisco 2950’s into “switchmode protected” except for the uplink ports. This will prevent any of the ports in this mode from transferring layer2 or layer3 packets. The problem that you might run into with this case however is if other clients connected to the Ciscos need to communicate back and forth.

The longer and better solution would be for you to divide up the network into VLANs to keep “different” separated. Such as put the client that is stealing access into his own VLAN, keep other users that need to comunicate to each other into their own VLAN and so on.

Since the one end user has stolen access in the past that means that he probably currently has the information he needs to do it again. So changing his subnet and making him the only one on it would probably be best.

Imran · February 1, 2011, 6:47am

Feklar:

The quickest way of doing it with your current setup is, put all of the ports on the Cisco 2950’s into “switchmode protected” except for the uplink ports. This will prevent any of the ports in this mode from transferring layer2 or layer3 packets. The problem that you might run into with this case however is if other clients connected to the Ciscos need to communicate back and forth.

The longer and better solution would be for you to divide up the network into VLANs to keep “different” separated. Such as put the client that is stealing access into his own VLAN, keep other users that need to comunicate to each other into their own VLAN and so on.

Since the one end user has stolen access in the past that means that he probably currently has the information he needs to do it again. So changing his subnet and making him the only one on it would probably be best.

thanks buddy…hope it will work i will try…thanks for your feedback