I have (probably a Linksys router) device somewhere on my network sending out 192.168.1.x addresses via DHCP. Is there a command available on Cisco switches that can easily locate which port these answers are coming from? I do not have DHCP snooping on yet.
The best way to do it is examine the ip address the DHCP server has from the client receiving addresses from the rogue server. Then arp that ip address so you have its mac address.
Then on the cisco switches you can do a "show mac-address-table " to find which port it is on.
It's a good idea except that LinkSys also makes NICs. A L2 filter on LinkSys OUIs would catch valid users with LinkSys nics.
I've had to deal with this problem before as well. I was on a flat network of about 3000 nodes including multiple dorms. I used EtherPeek to monitor for DHCP server traffic from and IP other than our 2 known DHCP servers. The action of that trigger was an email alert. When I'd get an alert I pull the bogus DHCP server's MAC from the ARP table and dig through the SAT tables (Cabletron for CAM or MAC table) for the offending nic.
The best solution is to apply an ingress ACL on all access-layer interfaces that blocks UDP packets with a source port of 67. Then you don't have to worry about that user affecting the entire broadcast domain.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.