I have a 1000 computers as a network to administrate.My problem is that in the last 3 weeks i find a computer that is poisoning the arp table of my linux server; his mac address is coresponding to 10-20 ip address.He infects all the computers in the same subnet.My only options is to filter his mac from the nearest management switch and then call him to tell that his computer has a virus and need to be reinstalled the o.s.
Can anyone tell me a solution for this , other then make static entries in my linux arp table ?
Thanks

solution... disable the switchport for the computer, refuse to allow it back on the network until it is fixed... simple.

Add a static ARP entry for the effected ip/mac.

Add an ebtables entry for that server that drops all arp packets from that mac address.

That should work, at the cost of screwing up your routing for that mac address should it come online again with a new IP address.

I think though that acid_kewpie is right. Whilst that might sort the problem out for you the user causes a problem on the entire subnet by assuming the identity of other boxes on the local broadcast network. Ideally the person on the network needs to be removed completely until they fix the problem.