Skip to content

Grading Checklist

A good response must include:

  • Identifies the root cause: duplicate IP address -- a rogue device is using the same IP as the production server
  • Uses arping to detect the duplicate (two different MACs responding to ARP for the same IP)
  • Checks ARP tables on clients/switches to see the MAC address flapping
  • Traces the rogue MAC to a switch port using the switch MAC address table
  • Identifies the rogue device (test VM with statically assigned IP)
  • Explains why connectivity is intermittent: ARP cache entries alternate between the two MACs as each host sends gratuitous ARPs
  • Proposes immediate fix: remove the rogue IP from the offending device
  • Recommends long-term prevention: implement DHCP snooping and Dynamic ARP Inspection (DAI)
  • Mentions IP address management (IPAM) tools to prevent "picking a free IP"
  • Suggests reserving the production server's IP in DHCP to prevent future conflicts
  • Considers checking for ARP spoofing as part of the investigation
  • Mentions clearing ARP caches on affected clients after removing the duplicate