switch problem

Unanswered Question
Mar 26th, 2009

somebody has put a broadband in my network of 30 switches. PC's are getting IP's of 192.160.x.x range through DHCP and DNS of MTNL . can i put ACL on the Layer 2 switches to block this range of IP's and allow 10.x.x.x series .kindly suggest the ACL .

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
csc010854800 Thu, 03/26/2009 - 03:41

i don't have a DHCP server.we are using statis IP address .

i need to block 192.168.x.x series ofip's on my switch , what will be the acl.

sanmigueelbeer Thu, 03/26/2009 - 14:24

access-list 1 deny 192.168.0.0 0.0.255.255 log

access-list 1 permit any any

interface vlan 1

access-group 1 in

csc010854800 Fri, 03/27/2009 - 00:30

don't u think this access-list should be applied on uplink port and not to vlan1 ?

if so,kindly suggest the reason for that.

interafce VLAN 1 is only for management. is there any other purpose of that interface vlan 1 ..?

Tony.henry Mon, 03/30/2009 - 14:24

Yangesh,

I don't think you can block layer 3 problems with a layer 2 device. your best bet would be to hunt down the DHCP server and disable it from the switch.

1. Determine the IP address of the server. Client machine.

2. Log onto switch, and determine the MAC address of the server. show ip arp, may need to ping the server first.

3. Hunt down the mac address doing commands like show mac address-table dynanic

4. Find out where the server plugs in and figure out if you can find the owner. Make sure you don't do this on a switch uplink as you might disable that arm of the network

The fact that the users are supposed to be statically assigned and have started to change their SOE's means you have a few bigger problems anyway. why are they changing their systems from static to dynamic? what new service is this server giving that they need?

Good Luck

Tony

hobbe Wed, 04/08/2009 - 08:00

If you are using static addresses then you do not have a problem that inflicts your working system.

however I can see how this could be quite a nusance so if you do want to get rid of the problem per se, hunt down the offender.

I know that I would.

An ACL will not work unless you either install it in every port or if you find the offending device and add the access-list to the same interface the device is on, on the outgoing traffic of that interface ie the traffic moving towards the device from the interface.

so depending on what switch you have it might not be possible to add an access-list in both ingress and egress, most only support ingress.

what are the type of switches you have?

Depending on the model and type, there are different commands available to track the offender.

in my world the adding of an device such as yours is a stricktly forbidden offence and grounds for fiering someone.

it could be used to let hackers in and or a means to control a pc in the network from the internet.

Actions

This Discussion