RIP, EIGRP, OSPF, IS-IS, BGP, MPLS, VTP, STP.
tcp_ip
New Member
Posts:
14
Joined:
Tue Jan 03, 2012 1:44 am
Certs:
CCNA, CCNP

Block Static IP address

Fri Jan 06, 2012 4:57 am

Hi...

Is there any way to forcefully block Static IP addresses in the network? Because many goes for static IP and they are causing issues like, IPconflict.. Is there any way to block all user who are using static ip or any other way to overcome this?

Rgdrs,
Dhriti

User avatar
Halo
Post Whore
Posts:
1008
Joined:
Thu Oct 14, 2010 4:39 am
Certs:
CCNP (R&S, Security), ITILv3 Foundation

Re: Block Static IP address

Fri Jan 06, 2012 5:14 am

You'd have to find an administrative solution for those devices I'd imagine; some sort of policy setting in a windows environment.

User avatar
Project2501
Post Whore
Posts:
6158
Joined:
Thu Apr 17, 2008 6:44 pm
Certs:
CCNA

Re: Block Static IP address

Fri Jan 06, 2012 8:35 am

Yeah in all seriousness if you're in an enterprise network an AD policy should solve this.
- Pete

User avatar
ristau5741
Post Whore
Posts:
10221
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Block Static IP address

Fri Jan 06, 2012 9:29 am

change the default gateway, and update the DHCP server
you need a short DHCP lease time to minimize affect on DHCP customers

if you look at the mac-address-table on the switch, you can determine
which MAc address are dynamic and which are static, you can take the
static MAC address and use it to trace the source port, then go deskside
set back to dhcp and remove users admin privs, you can also get evil
and put port security on the port with a different MAC address so the
user cannot access the network, will call help desk and you go fix, as above,

really you need good policy, to prevent users from configuring static IP,
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

cadet alain
New Member
Posts:
38
Joined:
Sat Jan 08, 2011 12:34 pm
Certs:
CCNA Security-CCNA Voice-CCNP

Re: Block Static IP address

Fri Jan 06, 2012 10:34 am

Hi,

What about DHCP snooping and IP Source guard feature to prevent this ?

Regards.

Alain

Fred
Post Whore
Posts:
2566
Joined:
Sat Jun 07, 2008 11:06 am
Certs:
CCNP, CCDP

Re: Block Static IP address

Fri Jan 06, 2012 11:36 pm

I agree with Cadet Alain. Implement DHCP Snooping, IP Source Guard, and while you're at it, ARP inspection. These technologies will stop static IP addresses, rogue DHCP servers, and ARP poisoning MitM attacks dead in their tracks.

tcp_ip
New Member
Posts:
14
Joined:
Tue Jan 03, 2012 1:44 am
Certs:
CCNA, CCNP

Re: Block Static IP address

Sun Jan 08, 2012 11:43 pm

But there are some Unix PC. can these Unix PCs be controlled by AD?

User avatar
davidrothera
Ultimate Member
Posts:
992
Joined:
Thu Jan 13, 2011 5:10 pm
Certs:
CCIE R&S #38338, CCNP, CCIP

Re: Block Static IP address

Mon Jan 09, 2012 9:33 am

As others have said if you enable DHCP snooping and DAI then it will stop people with static IP's from using the network completely so once you have enabled it on all host facing ports (best not do it on server ports) then just wait for anyone that moans that their network connection is broken :P
---
David
CCIE R&S #38338, CCIP, CCNP

http://networkbroadcast.co.uk - My Blog
http://twitter.com/davidrothera

tcp_ip
New Member
Posts:
14
Joined:
Tue Jan 03, 2012 1:44 am
Certs:
CCNA, CCNP

Re: Block Static IP address

Tue Jan 10, 2012 1:32 am

But I have to enable it in L3.. And this L3 is directly connected to L2.. If I enable DHCP snooping and ARP spoofing in L2 then it got hanged and it wont pass any traffic from it...

'

Return to Cisco Routing and Switching

Who is online

Users browsing this forum: Bing [Bot], Google Feedfetcher, ski and 37 guests