IP address conflicts

Tim Aslat tim at spyderweb.com.au
Sun Sep 26 21:51:57 PDT 2004

In the immortal words of "Ted Mittelstaedt" <tedm at toybox.placo.com>...
> In any case, first thing is I think you need to have a chat with the
> Dean. Your not going to solve this problem until you do 2 things:
> 1) Make it clear that anyone caught doing this will be immediately
> expelled.
> 2) Catch and expell a few of them.
> What they are doing is basically identical to making the
> web/proxy/mail servers
> crash and the penalties should be as severe.

I agree, and this is what we are trying to do.  However a school with
20+ buildings, and 1000+ network points and a considerable number of
switches makes it a little more difficult.

> Once again, I must assume that these notebooks legitimately owned by
> students and staff are NOT owned by the people that are changing the
> IP numbers.

I actually think it's more than 1 culprit, and I couldn't be 100%
certain whether they are using their own notebooks or school machines
until I catch them in the act.

> If you have a situation where you KNOW who is doing it, and they are
> getting away with this, with the full knowledge of the Dean and others
> in the college,
> then you may as well just start looking for another job.  If I was in
> your shoes
> I would.

Nobody is actually getting away with it, it's just frustrating not
knowing who.

> Now also, keep in mind that expensive managed switches ARE the way to
> handle this.
> However, you need not break the bank.  There are MANY excellent
> quality managed
> switches on the used market.  For example the 3com Desktop 3300 is a
> fine specimen.
> It was manufactured back in the days of 3com's lifetime warranty so
> even if you find
> one for sale for $20 that has a blown power supply, buy it!

Please bear in mind that I have over 50 switches kicking around in
various parts of the school, and only 4 of them are managed.  This could
be a very expensive exercise.

> Also, if you are a bona-fied school, contact some of the switch
> vendors, they
> may make a deal with you under the table.

This isn't a bad idea.  Might be well worth looking into, especially
with the number we are going to need.

> Now, if you are going to say FUCK THIS and totally ignore my advice
> with regards
> to the switches, then fuck you too asshole.  However, I will be kind
> enough to
> tell you a horrible hack, gagging disgusting completely unprofessional
> band-aid
> that you should be ashamed to do, that you can do.  And if you ever
> were being
> interviewed by me for a job interview and you mentioned this, I would
> tell you
> to leave, then go throw up for being reminded that there are people in
> the world that are too lame to stand up for doing things right the
> first time.

I appreciate the sentiment :)  however if a quick hack can cover my butt
until I get budget clearance to get real switches in place, then I'm all
for it.  Like you, I don't like quick hacks, but it they do the job
until I can put something better in place, it's better than nothing.

One question though.  Would it be enough to get some half decent
switches just on the servers, or would I need to replace every single
switch in the network?

> What you merely do is go around to ALL of the machines on the network
> that need
> to get to the proxy/web/mailservers and put in static ARP entries for
> the MAC
> addresses of the legitimate servers.  Then when your little friends
> try their
> trick, nobody is going to notice it, except of course for the machine
> that they make their modification to.

This sounds like more trouble than it's worth, but maybe there's a way I
can distribute the settings somehow at logon.

> After a semester or two the kiddies will give up and you won't have to
> do this
> anymore.

More than likely.  Unfortunately this is a legacy network held together
with band-aids and fencing wire.  I'm gradually making changes to the
infrastructure, but it all costs money and in this case, it definitely
won't happen overnight, but it is happening.

Thanks for the suggestions.



Tim Aslat <tim at spyderweb.com.au>
Spyderweb Consulting
Phone: +61 0401088479

More information about the freebsd-questions mailing list