1 00:00:00,050 --> 00:00:01,650 In this video, we're going to discuss 2 00:00:01,650 --> 00:00:03,450 duplicate addresses in our network, 3 00:00:03,450 --> 00:00:06,360 specifically, duplicate MAC addresses at layer two 4 00:00:06,360 --> 00:00:09,000 and duplicate IP addresses at layer three. 5 00:00:09,000 --> 00:00:10,680 First, let's focus on layer two 6 00:00:10,680 --> 00:00:12,420 with duplicate MAC addresses. 7 00:00:12,420 --> 00:00:15,540 If you remember, a MAC address is a 12 digit number 8 00:00:15,540 --> 00:00:17,310 that's written in hexadecimal format, 9 00:00:17,310 --> 00:00:18,750 and it's used to uniquely identify 10 00:00:18,750 --> 00:00:21,240 a network interface card on a given network. 11 00:00:21,240 --> 00:00:24,630 A MAC address has 48 bits in total length for its address. 12 00:00:24,630 --> 00:00:27,720 The first 24 bits or six hexadecimal digits 13 00:00:27,720 --> 00:00:30,330 is going to be assigned based on the hardware manufacturer. 14 00:00:30,330 --> 00:00:33,480 And the second 24 bits or six hexadecimal digits 15 00:00:33,480 --> 00:00:35,280 are going to be used to uniquely identify 16 00:00:35,280 --> 00:00:38,130 this particular network interface card on the network. 17 00:00:38,130 --> 00:00:40,080 The MAC address is assigned on the device 18 00:00:40,080 --> 00:00:41,760 when it's manufactured initially, 19 00:00:41,760 --> 00:00:44,940 and this is a hardware or burnt-in physical address. 20 00:00:44,940 --> 00:00:46,680 For this reason, you should not have 21 00:00:46,680 --> 00:00:48,780 duplicate MAC addresses on your network 22 00:00:48,780 --> 00:00:50,310 unless there's an incorrect assignment made 23 00:00:50,310 --> 00:00:52,170 during the production by the manufacturer, 24 00:00:52,170 --> 00:00:53,940 or if somebody in your network 25 00:00:53,940 --> 00:00:55,890 begins to use a self-assigned address 26 00:00:55,890 --> 00:00:58,140 known as a locally-administered address. 27 00:00:58,140 --> 00:01:00,540 Now, when a self-assigned address is being used, 28 00:01:00,540 --> 00:01:02,940 this can often be an indication that MAC spoofing 29 00:01:02,940 --> 00:01:05,400 is being used by a client on your network. 30 00:01:05,400 --> 00:01:06,870 So, what's wrong with having 31 00:01:06,870 --> 00:01:09,090 duplicate MAC addresses on the network? 32 00:01:09,090 --> 00:01:10,560 Well, when I think of this problem, 33 00:01:10,560 --> 00:01:12,060 I think back to elementary school 34 00:01:12,060 --> 00:01:14,250 in the late eighties and early nineties. 35 00:01:14,250 --> 00:01:15,360 You see, when I was born, 36 00:01:15,360 --> 00:01:17,460 the name Jason was pretty darn common. 37 00:01:17,460 --> 00:01:19,830 This made it a little bit difficult for many of my teachers, 38 00:01:19,830 --> 00:01:21,360 because they often had two or three kids 39 00:01:21,360 --> 00:01:22,800 in the class named Jason. 40 00:01:22,800 --> 00:01:24,630 So, when the teacher would call out Jason, 41 00:01:24,630 --> 00:01:26,640 there was two or three kids who would respond, 42 00:01:26,640 --> 00:01:29,040 or if the teacher got a note from Jason's mom, 43 00:01:29,040 --> 00:01:30,120 the teacher then had to figure out, 44 00:01:30,120 --> 00:01:32,040 which Jason should get the response, 45 00:01:32,040 --> 00:01:34,710 because she didn't know which mom it was. 46 00:01:34,710 --> 00:01:36,810 Now, the same thing happens in our networks. 47 00:01:36,810 --> 00:01:38,220 If you have two or more devices 48 00:01:38,220 --> 00:01:39,360 that respond to data requests 49 00:01:39,360 --> 00:01:41,250 directly from a given MAC address, 50 00:01:41,250 --> 00:01:43,740 this causes a lot of network issues. 51 00:01:43,740 --> 00:01:45,630 Now, for example, if you have two devices 52 00:01:45,630 --> 00:01:47,010 using the same Mac address, 53 00:01:47,010 --> 00:01:49,200 your switch might mistake them for each other 54 00:01:49,200 --> 00:01:50,880 and they might think they're the same device. 55 00:01:50,880 --> 00:01:53,280 And so, the switch will keep updating its cam table 56 00:01:53,280 --> 00:01:55,260 for the location of a single device. 57 00:01:55,260 --> 00:01:57,330 So, it goes from port one to port three 58 00:01:57,330 --> 00:01:58,770 to port one to port three, 59 00:01:58,770 --> 00:02:01,200 and repeatedly, starts going from one port to the other 60 00:02:01,200 --> 00:02:03,750 when in reality there's really two devices there. 61 00:02:03,750 --> 00:02:05,550 Now, duplicate MAC addresses 62 00:02:05,550 --> 00:02:07,590 can also cause network connectivity issues, 63 00:02:07,590 --> 00:02:09,780 because the switch doesn't know where to send the traffic 64 00:02:09,780 --> 00:02:11,640 destined for that particular MAC address, 65 00:02:11,640 --> 00:02:13,020 because again, it's switching 66 00:02:13,020 --> 00:02:15,150 between two or three different ports. 67 00:02:15,150 --> 00:02:17,670 Now, luckily, MAC addresses are only used 68 00:02:17,670 --> 00:02:19,020 in layer two networks, 69 00:02:19,020 --> 00:02:20,910 so once you reach a router on your network, 70 00:02:20,910 --> 00:02:22,140 the address is going to be converted 71 00:02:22,140 --> 00:02:24,090 to an IP address at layer three. 72 00:02:24,090 --> 00:02:25,890 So, the extent of your connectivity issues 73 00:02:25,890 --> 00:02:27,840 is really going to be limited in scope. 74 00:02:27,840 --> 00:02:29,880 Now, a more modern challenge that we have 75 00:02:29,880 --> 00:02:31,080 is with virtual machines 76 00:02:31,080 --> 00:02:33,240 and their virtual network interface cards. 77 00:02:33,240 --> 00:02:36,090 Because these devices are only a series of ones and zeros, 78 00:02:36,090 --> 00:02:37,830 their virtual network interface cards 79 00:02:37,830 --> 00:02:39,570 have to be assigned a MAC address 80 00:02:39,570 --> 00:02:41,820 by a virtual machine's hypervisor. 81 00:02:41,820 --> 00:02:44,280 To ensure you don't end up with duplicate MAC addresses 82 00:02:44,280 --> 00:02:45,900 caused by these virtual machines, 83 00:02:45,900 --> 00:02:49,140 you need to make sure you're using a logical domain manager. 84 00:02:49,140 --> 00:02:51,240 Now, a logical domain manager is used 85 00:02:51,240 --> 00:02:53,760 to listen to multicast messages on the network 86 00:02:53,760 --> 00:02:56,610 and keep track of all the MAC addresses that are being used. 87 00:02:56,610 --> 00:02:59,370 As it does this, it identifies if there's any duplicates, 88 00:02:59,370 --> 00:03:01,320 and if it is, then it will go ahead 89 00:03:01,320 --> 00:03:03,990 and reassign MAC addresses for its virtual machines 90 00:03:03,990 --> 00:03:05,700 to prevent duplications. 91 00:03:05,700 --> 00:03:08,460 So, how can you determine if there's a duplicate MAC address 92 00:03:08,460 --> 00:03:10,050 operating on your network? 93 00:03:10,050 --> 00:03:12,390 First, you're going to see network connectivity issues 94 00:03:12,390 --> 00:03:14,100 for two machines, and those machines 95 00:03:14,100 --> 00:03:15,900 will have duplicate MAC addresses. 96 00:03:15,900 --> 00:03:18,450 This is caused by the switch that continually has to go 97 00:03:18,450 --> 00:03:21,660 back and forth between two ports and updating its CAM table, 98 00:03:21,660 --> 00:03:23,220 because it sees the same MAC address 99 00:03:23,220 --> 00:03:25,470 reporting itself on two different ports. 100 00:03:25,470 --> 00:03:26,940 This will cause intermittent connectivity 101 00:03:26,940 --> 00:03:28,080 for the two devices, 102 00:03:28,080 --> 00:03:30,660 or one of the devices will have great connectivity 103 00:03:30,660 --> 00:03:33,420 and the other one will be completely nonresponsive. 104 00:03:33,420 --> 00:03:35,820 Second, you could set up a protocol analyzer 105 00:03:35,820 --> 00:03:37,410 like Wireshark on your network. 106 00:03:37,410 --> 00:03:39,360 Then you can look at the network traffic, 107 00:03:39,360 --> 00:03:40,920 specifically the ARC traffic, 108 00:03:40,920 --> 00:03:42,930 and see what IP addresses are being mapped 109 00:03:42,930 --> 00:03:44,970 and reported for each MAC address. 110 00:03:44,970 --> 00:03:46,200 If you see the same MAC address 111 00:03:46,200 --> 00:03:47,880 being used by two different machines 112 00:03:47,880 --> 00:03:49,440 or two different IP addresses, 113 00:03:49,440 --> 00:03:51,360 this could indicate a duplicate MAC address 114 00:03:51,360 --> 00:03:52,830 is on your network. 115 00:03:52,830 --> 00:03:54,120 To prevent issues on your network 116 00:03:54,120 --> 00:03:55,860 caused by duplicate MAC addresses, 117 00:03:55,860 --> 00:03:58,410 you can enable port security on your devices. 118 00:03:58,410 --> 00:04:00,630 This can be configured to allow a single MAC address 119 00:04:00,630 --> 00:04:03,060 to be configured to one single switch port, 120 00:04:03,060 --> 00:04:05,520 and then it's going to prevent any duplicate MAC addresses 121 00:04:05,520 --> 00:04:08,310 from accessing the network at the same time. 122 00:04:08,310 --> 00:04:09,333 Now, to identify switch ports 123 00:04:09,333 --> 00:04:11,580 that are used for particular MAC address, 124 00:04:11,580 --> 00:04:14,430 you can enter the show arp command on your switch. 125 00:04:14,430 --> 00:04:16,410 Here's an example of running the show arp command 126 00:04:16,410 --> 00:04:17,730 on a Cisco switch. 127 00:04:17,730 --> 00:04:20,610 Notice, there are two matching MAC addresses in use here, 128 00:04:20,610 --> 00:04:22,320 both with different IP addresses 129 00:04:22,320 --> 00:04:24,480 and different physical interface ports. 130 00:04:24,480 --> 00:04:28,200 One is on FastEthernet 0/3/3/4, 131 00:04:28,200 --> 00:04:32,100 and the other is on FastEthernet 0/3/3/5. 132 00:04:32,100 --> 00:04:34,350 This can cause conflicts or frames 133 00:04:34,350 --> 00:04:35,730 that simply aren't going to be delivered 134 00:04:35,730 --> 00:04:38,010 to the right devices on this switch. 135 00:04:38,010 --> 00:04:39,600 Now, once you identify the devices 136 00:04:39,600 --> 00:04:41,640 that are using the duplicate MAC addresses, 137 00:04:41,640 --> 00:04:43,410 you can check those devices locally 138 00:04:43,410 --> 00:04:45,540 to see if there's a hardware manufacturing issue 139 00:04:45,540 --> 00:04:48,030 that assign the same MAC address to both devices. 140 00:04:48,030 --> 00:04:50,310 Or if this is a case of MAC spoofing, 141 00:04:50,310 --> 00:04:52,530 you want to make sure that you reset the MAC address 142 00:04:52,530 --> 00:04:54,270 back to the burned-in physical address 143 00:04:54,270 --> 00:04:57,150 or remove that device from the network completely. 144 00:04:57,150 --> 00:04:59,070 If it's a hardware manufacturing issue, 145 00:04:59,070 --> 00:05:01,260 you're going to need to replace the network interface card 146 00:05:01,260 --> 00:05:03,210 to permanently solve this problem. 147 00:05:03,210 --> 00:05:06,060 Next, let's talk about duplicate IP addresses. 148 00:05:06,060 --> 00:05:08,100 A duplicate IP address is also known 149 00:05:08,100 --> 00:05:10,050 as an IP Address Conflict. 150 00:05:10,050 --> 00:05:12,570 This occurs when another computer on the same network 151 00:05:12,570 --> 00:05:14,730 has an identical IP to another workstation 152 00:05:14,730 --> 00:05:16,890 or server on that same network. 153 00:05:16,890 --> 00:05:18,870 Most often this occurs when you're using 154 00:05:18,870 --> 00:05:21,570 static IP address assignments for your network clients 155 00:05:21,570 --> 00:05:23,610 and you didn't properly account for which IPs 156 00:05:23,610 --> 00:05:26,940 were already used by other devices, or you had a typo. 157 00:05:26,940 --> 00:05:29,070 If you're using DHCP and this happens, 158 00:05:29,070 --> 00:05:31,020 this could be a DHCP server issue 159 00:05:31,020 --> 00:05:32,610 where it didn't properly account for the IPs 160 00:05:32,610 --> 00:05:33,750 that already issued out, 161 00:05:33,750 --> 00:05:35,340 or it could be the case of somebody 162 00:05:35,340 --> 00:05:37,380 statically assigning an IP to their client 163 00:05:37,380 --> 00:05:39,930 even though the DHCP server has that IP address 164 00:05:39,930 --> 00:05:41,820 assigned as part of its scope. 165 00:05:41,820 --> 00:05:43,350 Now, a third reason this going to occur 166 00:05:43,350 --> 00:05:45,990 is if you have a rogue DHCP server on your network, 167 00:05:45,990 --> 00:05:47,790 because that rogue DHCP server 168 00:05:47,790 --> 00:05:49,890 could be handing out the same IP addresses 169 00:05:49,890 --> 00:05:51,660 as your official DHCP server, 170 00:05:51,660 --> 00:05:52,680 and this can be happening from 171 00:05:52,680 --> 00:05:55,200 a private class C address IP scope. 172 00:05:55,200 --> 00:05:57,450 Now, if you have duplicate IP addresses 173 00:05:57,450 --> 00:05:59,670 being used by two devices on your network, 174 00:05:59,670 --> 00:06:01,560 this will cause intermittent connectivity 175 00:06:01,560 --> 00:06:02,910 for both of those clients, 176 00:06:02,910 --> 00:06:04,230 because both of those clients 177 00:06:04,230 --> 00:06:05,850 are requesting network services, 178 00:06:05,850 --> 00:06:07,380 but the routers may not know 179 00:06:07,380 --> 00:06:09,030 where to send the traffic back to, 180 00:06:09,030 --> 00:06:11,670 'cause both clients are using the same IP address. 181 00:06:11,670 --> 00:06:13,890 To solve this, you should first check if the client 182 00:06:13,890 --> 00:06:16,980 is dynamically or statically assigned an IP address. 183 00:06:16,980 --> 00:06:19,020 As I said, most commonly the device 184 00:06:19,020 --> 00:06:20,790 is going to be statically assigned an IP 185 00:06:20,790 --> 00:06:22,770 and you're going to have a duplicate IP address issue, 186 00:06:22,770 --> 00:06:24,660 because somebody typed in the wrong thing. 187 00:06:24,660 --> 00:06:27,090 To check this, go to your Network Adaptor Properties 188 00:06:27,090 --> 00:06:29,610 for TCP/IP version four and Windows, 189 00:06:29,610 --> 00:06:31,410 and you're going to see use the following 190 00:06:31,410 --> 00:06:33,120 IP address radio buttons there. 191 00:06:33,120 --> 00:06:34,200 And if that's selected, 192 00:06:34,200 --> 00:06:36,060 that means you're statically assigned. 193 00:06:36,060 --> 00:06:38,070 If your network is supposed to use DHCP, 194 00:06:38,070 --> 00:06:40,950 simply click obtain an IP address automatically instead, 195 00:06:40,950 --> 00:06:42,300 and then save your changes 196 00:06:42,300 --> 00:06:43,650 and the network interface card 197 00:06:43,650 --> 00:06:45,300 will go out to the DHCP server 198 00:06:45,300 --> 00:06:47,580 and get the dynamic assignment for an IP address 199 00:06:47,580 --> 00:06:49,410 that it should use moving forward. 200 00:06:49,410 --> 00:06:51,450 If you want to identify the duplicate IP addresses 201 00:06:51,450 --> 00:06:52,620 on your network though, 202 00:06:52,620 --> 00:06:53,790 you can start by logging into 203 00:06:53,790 --> 00:06:56,010 the command line interface on your router. 204 00:06:56,010 --> 00:06:58,380 In my example, I'm going to use a Cisco router 205 00:06:58,380 --> 00:07:00,510 and I'm going to enter the command show arp 206 00:07:00,510 --> 00:07:03,510 just like we did when searching for duplicate MAC addresses. 207 00:07:03,510 --> 00:07:04,980 This time though, we're focused 208 00:07:04,980 --> 00:07:07,470 on IP addresses in that first column. 209 00:07:07,470 --> 00:07:11,820 Here I see two IP addresses displayed with 10.1.4.2. 210 00:07:11,820 --> 00:07:14,770 The first one is located on interface FastEthernet 0/3/3/4, 211 00:07:17,010 --> 00:07:20,010 and the second one is on the interface FastEthernet 0/3/3/5. 212 00:07:22,435 --> 00:07:23,850 Now, that we know which interfaces 213 00:07:23,850 --> 00:07:25,470 and switch ports are being used, 214 00:07:25,470 --> 00:07:28,380 we can check the configurations on those individual clients 215 00:07:28,380 --> 00:07:30,630 and we can ensure they're properly assigned statically 216 00:07:30,630 --> 00:07:33,390 or they're configured to receive a dynamic IP address 217 00:07:33,390 --> 00:07:35,193 from our network's DHCP server.