03-07-2002 05:32 PM - edited 03-01-2019 08:48 PM
I am hoping there is some type of logging on my router I can turn on to send a trap to my NMS so I can be alerted via email or paging. If not thru my router I am open to other solutions.
03-07-2002 08:44 PM
Are you looking for a way to send a trap when a rogue server is present? I don't reliably know of a way to detect a rogue DHCP server placed on the network.
There are ways to only allow DHCP responses from certain IPs. You could add a log keyword to the end of the deny access-list to generate log entries on denied packets which you could fwd as a trap or syslog.
You could do this on the router:
access-list 111 permit udp host 1.2.3.4 any eq 68
access-list 111 deny udp any any eq 68
acesss-list 111 permit ip any any
That only permits DHCP responses from IP 1.2.3.4 and permits all other IP traffic.
The downfall to putting the ACL on the routed interface is it doesn't block someone from putting a DHCP server in on the LAN where the existing DHCP users are.
If you have a Cat 6000 series switch with right hardware (PFC) you can use VACLs and block it right at the switch. Pretty much same concept as above. See the URL below for VACL sample for this:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_4/msfc/acc_list.htm#xtocid1006436
03-08-2002 12:38 PM
If you know about when this happens you can try and see it via something like debug dhcp , this might tell you something . Obviously if you have a very busy processor I would not do this , if it's low it shouldn't be a problem . how do you know you have a rogue server to begin with ? If you have address it should be pretty easy to track it down.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide