[c-nsp] Tracking down rogue DHCP server
Mark Boolootian
booloo at ucsc.edu
Mon Aug 15 13:17:40 EDT 2005
Eric,
We have ingress ACLs on all our campus subnets to prevent source
address spoofing. These ACLs also include the line:
permit udp any eq bootps host 255.255.255.255 log-input
which will log a DHCP server on the subnet responding to a client
request. It seems to work reasonably well for picking up rogue
servers.
And as someone else mentioned, http://www.netdisco.org is the
application of choice for being able to find and shut down the
offending device, though it doesn't work as well as we'd like
in a multi-vendor environment.
More information about the cisco-nsp
mailing list