Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
0
Helpful
7
Replies

dhcp attack

gopinath.krishna
Level 1
Level 1

‎02-28-2008 09:59 AM - edited ‎03-05-2019 09:26 PM

i have a dhcp server on valn 3 and somebody has put somekind of vmware software on pc with dhcp on that... am not able to find that dhcp server now.. I have the macaddress of that server... i am not able to ping that server too..please let me know how to find that another server

Labels:
0 Helpful
7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

‎02-28-2008 10:03 AM

Gopi

If you have the mac address then you should be able to look in the mac-address-table (or the cam depending on the model of switch) and find what port that mac address is located on. That should lead you to where the server is.

HTH

Rick

HTH

Rick
0 Helpful

gopinath.krishna
Level 1
Level 1
In response to Richard Burts

‎02-28-2008 10:09 AM

our network is a huge network where i have two core switch (primary and secondary), more than 30 distribution switch and more than 150 access switches. am not able to trace exactly where is the mac address is coming from. pleas let me know elaborately to mitigate this issue

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame

‎02-28-2008 10:05 AM

If you have the mac-address of that server, at the switch issue: show mac-address-table and should point to the switchport this device is connected to.

If the switchport listed is connected to another switch, hop onto that switch and execute the same command until you find the culprit device.

I also recommend configuring dhcp snooping if you switch supports it. What type of switch do you have ?

__

Edison.

0 Helpful

gopinath.krishna
Level 1
Level 1
In response to Edison Ortiz

‎02-28-2008 10:16 AM

core - 6000 , distribution - 3750 and access - 2960.. I tried show mac adddress table but no use... how effective would dhcp snooping would be... will enabling dhcp snooping will have any effect on core switches or the whole network performance

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to gopinath.krishna

‎02-28-2008 10:27 AM

You need to configure DHCP snooping on all switches in your network for it to be effective.

You would have trusted and untrusted ports. Trusted ports will be the ones connected to valid DHCP servers and inter-switch links. Untrusted ports will be the ones connected to every device in your network.

For more information in general configuration on this feature see:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html

HTH,

__

Edison.

0 Helpful

gopinath.krishna
Level 1
Level 1
In response to Edison Ortiz

‎02-28-2008 10:33 AM

i understand by enabling dhcp snooping the rogue dhcp server can be stopped from offerind dhcp ip addresses on that lan... but how to narrow down that rogue dhcp server

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to gopinath.krishna

‎02-28-2008 10:59 AM

We already gave you the suggestion. I understand that's a huge task given the size of your network. That's the reason features such as DHCP snooping were implemented, to avoid this kind of headaches. I'm afraid you will have to rally up the troops and hop onto each switch until you find the culprit.

After that, formulate a plan and deploy DHCP snooping.

HTH,

__

Edison.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card