For Internet and Intranet networks, each host must have an independent IP address when using the TCP/IP protocol. Only hosts with IP addresses can communicate with other hosts on the network. With the vigorous promotion of network applications, network customers rapidly expand. Due to the allocation of static IP addresses, IP address conflicts are troublesome. IP address conflicts have a very bad impact. First, network customers cannot work normally. As long as conflicting machines exist on the network, there will be frequent IP address conflicts on the client: "If the security policies (such as access permissions and Access Control) of an application on the network are based on IP addresses, this illegal IP address user poses a serious threat to the security of the application system.
Cause Analysis
Problems sometimes cannot be detected in time. problems can be discovered only when conflicting network customers are in the starting status at the same time, so they are quite concealed. The cause of the analysis may be IP address conflict in the following situations.
Many users do not know about TCP/IP, and do not know how to set parameters such as "IP address", "subnet mask", and "Default Gateway, sometimes the user does not obtain the above parameter information from the Administrator, or the user has no intention to modify the information;
When the administrator or user sets the parameter based on the preceding parameters, the parameter is incorrect due to errors;
When the client is being repaired and debugged, the service personnel apply the temporary IP address;
Someone steals others' IP addresses.
Search and Solution
After receiving the conflict report, we first determine the VLAN where the conflict occurs. Find the CIDR block where the IP address is located through VLAN definition and conflicting IP address. This is critical to successfully finding the MAC address of the NIC, because some network commands cannot be accessed across network segments.
First, isolate the client from the network so that the computer with the illegal IP Address can run on the Internet, and the network administrator can find it. The Application Network Test Commands include the ping command and the arp command. Run the ping command. Assume that the IP address is 10.119.40.40. In the msdos window, the command format is as follows. The ITALIC part is the command result.
C: widows> ping 10.119.40.40
Request timed out
Reply from 10.119.40.40: bytes = 32 time <1 ms ttl = 128 omitted
We need to ping this machine for two purposes. First, we need to know that the machine we are looking for is indeed on the network. Second, we need to know the MAC address of the NIC of this machine, so how do we know its MAC address? This requires the second command arp: The arp command can only be used in a VLAN. It is a low-layer protocol and cannot be used across routes.
C: widows> arp-
Interface:... on inerface ......
Internet address/physical address/type
10.119.40.40/00-00-21-34-63-56/dynamic
The above list indicates that the MAC address of the NIC with the conflicting IP address 10.119.40.40 is 00-00-21-34-63-56. Next we will look for the physical location of the NIC whose MAC address is 00-00-21-34-63-56.
As described in the network introduction, the network adapter of each client is directly connected to the second-level switch. Next we will look for a large number of Ethernet switches, which are the switch ports corresponding to the conflicting MAC. The device connected to the customer in this network is bay 303/304. This article uses 303 as an example to describe how to find the Port location of a MAC address. Bay303 has multiple network management methods. The following describes how to find illegal MAC in a web browser.
Before searching, you must first determine the switch location in the VLAN and find out the IP addresses of these switches. You can use the switch address to access the network management information of the switch.
Start the browser on the machine of the Network Manager
Enter the IP address of the vswitch.
Enter the user name and password after prompting for logon.
Enter the "mac address table" option
The following table is displayed:
Index/mac address/learned on port/learning method/filter packets to this address
00: 00: 21: 34: 63: 56 13 dynamic no
-------------------------------------------
00: 00: 81: 65: c3: a0 n/a static no
-------------------------------------------
00: 00: a2: f7: c3: e4 25 dynamic no
-------------------------------------------
00: 00: 21: 34: 63: 56 2 dynamic no
Below.
Now you can see the index's 4th items. It is the MAC address we are looking for, and its port number is 2. Based on the integrated wiring data, you can find the physical location of the corresponding information point to locate the connected microcomputer location. Of course, here is an example of a specific vswitch. In actual work, we need to find many vswitches to find the MAC address we are looking, when there are a large number of switches in a VLAN, we need to find them one by one in these switches until they are found. This is a very cumbersome task.
If a vswitch has a downlink switch on its port, because the switch supports multiple MAC addresses, the lower-level MAC address is recorded in the upper-level MAC table, therefore, first look for the MAC table of the upper-level switch, determine the specific location, and then look for the next-level switch, which will greatly reduce the search range.
Of course, the use of professional network testers can quickly and easily troubleshoot, but for small network managers without expensive equipment, the above method is very effective.
Management Policy
For LAN, such IP address conflicts often occur. The larger the number of users, the more difficult it is to find, so the network administrator must think deeply about it. Currently, there are two solutions: Dynamic IP Address Allocation (dhcp) and static address allocation, but the management of MAC addresses must be enhanced.
The biggest advantage of using dynamic IP Address Allocation (dhcp) is that the client network configuration is very simple. Without the help and intervention of the Administrator, you can configure the network connection on your own. However, because the IP address is dynamically allocated, the network administrator cannot identify the customer from the IP address, and the corresponding IP layer management will be ineffective. Additionally, an additional dhcp server is required for dynamic IP Address allocation.
By using static IP Address Allocation, you can make reasonable IP address planning for each department, so that you can easily track and manage the MAC address on the third layer, it will also effectively solve this problem.
When a network user connects to the network, it establishes an IP address and MAC address information file, and implements a strict management and registration system for LAN customers from beginning to end, record the IP address, MAC address, uplink port, physical location, and user identity of each user in the database of the network administrator. In our above case, if we know the MAC address of an invalid user, we can search for it from the administrator database. If we have a comprehensive record of the MAC address, we can immediately find specific user information, which saves us a lot of valuable time and avoids the troubles of haystack. At the same time, we should avoid using IP addresses for permission restrictions for some applications. If we impose restrictions on MAC addresses, it would be much safer, this can effectively prevent hackers from stealing IP addresses.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
