[c-nsp] Tracking down spoofed source IPs in DMVPN (GRE multipoint) environments

Ed Ravin eravin at panix.com
Tue Feb 19 17:11:37 EST 2008


On Tue, Feb 19, 2008 at 02:56:18PM +1100, Dale Shaw wrote:
> I gave in and scripted a "sh ip cache flow | i 169.254" command to run
> on each of the downstream spoke routers when a broadcast packet was
> seen upstream, and this worked, but I was wondering if there was a
> better way.
> 
> So, is there a better way?

I run arpwatch on all the routers in my shop, and with some scripting
keep an organization-wide table of MAC-to-IP associations, including
the last date and time a particular MAC/IP pair was seen on the network,
and which router saw it.

That info has answered a lot of questions in the past about which machine
is where, and with what IP address.


More information about the cisco-nsp mailing list