Educause Security Discussion mailing list archives

Re: IP address conflicts / locating

From: "Brian K. Doré" <bkd () LOUISIANA EDU>
Date: Thu, 15 Dec 2005 19:05:14 -0600

Your first challenge is to have a way to document your static address assignments, and you need to include the MAC address of the 
NIC along with the IP so you can be certain who really owns the address and who is stealing it.   Layer 2 switches only care 
about MAC addresses so you need to identify the addresses involved in the conflict and determine which is the rogue then query 
your inventory database or your switch MAC tables to locate the offending machine.  Generally the MAC address of the  rogue is 
included in the error that appears.  You can also get it by turning off the real owner, ping the rogue and then looking in your 
ARP cache.  A lot of the less expensive unmanaged switches won't have a way to examine the MAC tables to do this so you need 
to ask your networking department what their capabilities are.  A good database of your machine inventory including MAC 
addresses, who the machine belongs to and where it's physically located can be a great help.     Another thing you might 
want to consider is  a DHCP solution like Netreg.   You really need to get a handle on something like this before someone 
interferes with the operation of  a machine thats important.

Brian

Brian Dore
Office of Information Systems
University of Louisiana at Lafayette




From: Kevin Shalla
Sent: Thu 12/15/2005 5:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: IP address conflicts / locating

At our school, all our IPs are public and staticallyassigned. Because we're a large school, and IP management isdecentralized, we often have IP address conflicts. Our resolutionprocedure is to call the network group which filters that IPaddress. Then we wait until the perpetrator calls the network groupto say that the network isn't working. Then the perpetrator is toldto use a different address, and the original computer can have thatIP address back. This can work when people are merely makingmistakes, however we're noticing rogue servers being installed, andwhen they get filtered, they simply move on to another address.

I've asked if we can get a tool which will take as input the IPaddress, and give the switch port where this IP is active, identifywhere this switch is, and further identify to which building and roomthat port connects. Do other schools have this ability, or am Iasking for too much?

Current thread:

IP address conflicts / locating Kevin Shalla (Dec 15)
- <Possible follow-ups>
- Re: IP address conflicts / locating Brian K. Doré (Dec 15)
- Re: IP address conflicts / locating David Gillett (Dec 15)
- Re: IP address conflicts / locating Al Sparks (Dec 15)
- Re: IP address conflicts / locating Flagg, Martin D. (Dec 16)
- Re: IP address conflicts / locating Randy Grimshaw (Dec 16)
- Re: IP address conflicts / locating Michael Grinnell (Dec 16)
- Re: IP address conflicts / locating Christopher Misra (Dec 16)
- Re: IP address conflicts / locating William G. Thompson, Jr. (Dec 16)
- Re: IP address conflicts / locating Jason Richardson (Dec 18)
- Re: IP address conflicts / locating Graham Toal (Dec 19)
- Re: IP address conflicts / locating Donald J Westlight (Dec 19)

(Thread continues...)