[c-nsp] Tracking down rogue DHCP server

Saku Ytti saku+cisco-nsp at ytti.fi
Mon Aug 15 10:51:17 EDT 2005


On (2005-08-15 10:23 -0400), Justin M. Streiner wrote:

> > if you have the mac address, you can start with one switch and do a 
> > "show mac <mac addr>" to find the port the next switch is on.  Repeat 
> > until you get to the switch that actually has the device connected to 
> > it.  Maybe there's an easier way but that's how I've done it in the 
> > past.
> 
> If the infrastructure is new enough to support it, DHCP snooping may help 
> track and shut down the offending server.

 If I understand dhcp snooping correctly, deploying it properly would
have prevented this attack in the first place.A

 Now when do we get rid of switches all together in favor of rbridges :)
L2 seems to be very dangerous as all too often it's trivialized, which
probably has bitten most of us, I know it's bitten me.

-- 
  ++ytti


More information about the cisco-nsp mailing list