[c-nsp] Tracking down rogue DHCP server

Matthew Stainforth Matthew.Stainforth at nucomm.net
Mon Aug 15 10:13:31 EDT 2005


if you have the mac address, you can start with one switch and do a "show mac <mac addr>" to find the port the next switch is on.  Repeat until you get to the switch that actually has the device connected to it.  Maybe there's an easier way but that's how I've done it in the past.

-----Original Message-----
From: Eric Whitehill [mailto:ewhitehill at 702com.net]
Sent: Monday, August 15, 2005 10:56 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Tracking down rogue DHCP server


Hello:

Over the last couple of days, someone on one of our customer's sites has
been putting up a rogue DHCP server and bringing down the customer's
network.  

We currently have all cisco switches within the network, and we are using a
Cisco 2600 to hand out DHCP addresses to the customers.  

While the customer's DHCP server is trying to hand out addresses from our
assigned DHCP pool, the customer's rogue DHCP server is trying to hand out
private addresses.  Thus, the problem.  

I've thought about doing a check on the mac-address-table on the cisco, but
there has to be an easier way (over 50 switches, which makes it prohibitive
to do this) 

I am trying to find an easy way to track down this rogue DHCP server and
smack the user really really really hard.  

Thanks, with LART in hand,  

-Eric 

-- 
Eric Whitehill - 44.58.39N, 93.15.56W
Data Network Engineer - 702 Communications - ewhitehill at 702com.net -
ASN15267
"Out the Gig-E, through the router, down the OC-12's, over the leased
line, off the bridge, past the firewall...nothing but Net."

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list