tracing a rogue router

glen.grant · ‎11-11-2005

Anybody have any good tricks for tracing these down . currently have someone who has apparently brought in one those nice home routers and is handing out addresses in the 192.168.X.X space. The setup is we have a 6509 doing the routing down to trunked access layer switches , this one vlan goes to multiple boxes . Any tricks to hunting this down short of installing a sniffer ??

Richard Burts · ‎11-11-2005

Glen

My experience is that many of these devices use the 192.168.x.1 (or maybe 192.168.x.254) addresses. Try pinging to that address. Then show ARP and see if there is a MAC address associated with that address. Then look through the layer 2 forwarding table (cam or mac-address depending on the switch type) to track it down.

HTH

Rick

HTH

Rick

glen.grant · ‎11-11-2005

Thanks Rick , think I found a good way which is almost what you said . On the user station have them do a ipconfig /all , this will give the address and default gateway that the rogue server handed out . Then from the DOS prompt ping the default-gatewAy address and this will put the address into the nic card arp cache . Then from the DOS prompt do a "arp -a " and this will give you the default gateway (rogue mac) and then just trace it down to the correct switch and port .

Richard Burts · ‎11-11-2005

Glen

It sounds like it should work and be slightly more reliable than what I suggested. The major assumption in your approach is that the default gateway is the rogue server. Not necessarily a good assumption for DHCP in general, but probably a safe assumption for the kind of home router that is probably causing this (and at least as safe as my assumption that addresses were probably .1 or .254).

HTH

Rick

HTH

Rick