I have about 40-50 servers, 150 notebook/desktop and 10 switches in our company. Once or twice a day, monitoring software sends me alarm regarding duplicate IP (of our NIS/DHCP server). I was able to capture MAC address of the offender, but vendor name is not useful since 90% of our equipment comes from them.
Since it is a production server, solution involving network shutdowns and other drastic actions are not acceptable.
Thanks and looking forward for your words of wisdom.
Re: How to find/locate offending duplicate IP machine
Be prepared when this happens again to log on to the switches and check mac address tables. Another way is to configure all switches to send syslogs to central server.
Re: How to find/locate offending duplicate IP machine
Depending on features available in your switches, you could perhaps use a more proactive strategy.
First, inform your helpdesk/PC support people that someone is using a wrong IP address, that it's causing trouble to other users, and that you're going to disable the offender's network access until the problem is fixed.
In the switches' ARP tables, associate the offender's MAC permanently with a totally non-functional IP address, such as 127.66.66.66. Do this in all switches,
Alternatively, if your switches have MAC address based ACLs, use them to deny all access for the offending MAC.
Test these strategies first, targetting a known test system whose behaviour you can monitor. Prepare a way to undo your changes quickly, in case it turns out that the offender is the CEO :-)
Then wait for the offender to make itself known, probably by complaining that his system suddenly cannot connect to any network service within the company...
