[c-nsp] Tracking down rogue DHCP server
Ed Ravin
eravin at panix.com
Mon Aug 15 10:19:49 EDT 2005
On Mon, Aug 15, 2005 at 08:56:24AM -0500, Eric Whitehill wrote:
> Over the last couple of days, someone on one of our customer's sites has
> been putting up a rogue DHCP server and bringing down the customer's
> network.
...
> I've thought about doing a check on the mac-address-table on the cisco, but
> there has to be an easier way (over 50 switches, which makes it prohibitive
> to do this)
That *is* the easy way. You need a tool that will automate the job for you,
like arpwatch. Ideally, you've got arpwatch or the like running all the
time on the net, querying your switches and routers and squirreling away
the MAC Address / IP associations in a table. Then, when trouble like this
hits, you look up the MAC address, figure out which machine it is, and
send the Network Police to that cubicle / office / switch port.
More information about the cisco-nsp
mailing list