One of my customers today experienced this rogue DHCP server that was handing out chaos on the network. No one really knew what was going on except that they 'couldn't do anything'. So when I got onsite and noticed that they had a funny IP address, from a 'server' (or whatever) not meant to be a DHCP server. Sadly, I could not find this device. I found where it was 'supposed' to be, via the switch ARP tables, but never could actually find the device. So, I blocked all access to the device on that VLAN. What is a guy to do in that case when you just cant find the problem device??? Well, that was my solution. Probably not the best thing, but that was all I could do with the time I had available. I just wrote out a simple ACL and applied it to the VLAN interface. Maybe the customer can find that device in the next day or so.
Very smart move. Can you give an example of the ACL code with a dummy IP for the device?
ReplyDeleteI think what I did was just block access to that device all together. I think part of that thinking was the hope that someone would say something about their device no being able to do anything. That way we could actually find the device.
DeleteIt would look something like this:
access-list 101 deny ip any host 192.168.1.10
access-list 101 permit ip any any
Then apply to the vlan interface.