Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on
the lan
Rune Kock
rune.kock at gmail.com
Thu Aug 21 19:14:50 BST 2008
---------- Forwarded message ----------
From: Rune Kock <rune.kock at gmail.com>
Date: Thu, Aug 21, 2008 at 20:03
Subject: Re: [Dnsmasq-discuss] Request for brain-storm: Rogue
dhcp-servers on the lan
To: Paul Chambers <bod at bod.org>
>> So, you're saying that this Powerconnect 2716 is able to tell me on
>> which port a given MAC communicates?
>
> I can't say for certain, having not tried it myself. What I do know is the
> documentation claims it supports the RMON MIB of SNMP, and there's an
> optional group in that MIB specification that's described as:
>
> -- The host group discovers new hosts on the network by
> -- keeping a list of source and destination MAC Addresses seen
> -- in good packets. For each of these addresses, the host group
> -- keeps a set of statistics. The hostControlTable controls
> -- which interfaces this function is performed on, and contains
> -- some information about the process. On behalf of each
> -- hostControlEntry, data is collected on an interface and placed
> -- in both the hostTable and the hostTimeTable. If the
> -- monitoring device finds itself short of resources, it may
> -- delete entries as needed. It is suggested that the device
> -- delete the least recently used entries first.
>
> -- The hostTable contains entries for each address discovered on
> -- a particular interface. Each entry contains statistical
> -- data about that host. This table is indexed by the
> -- MAC address of the host, through which a random access
> -- may be achieved.
>
> Since it's optional, I don't know if the Powerconnect switches exposes this
> info or not. I don't use SNMP at home, so I'd have to install an SNMP
> browser and take a look. It may be a few days before I have time to do that.
Please do.
> Another approach that I'm pretty confident would work is to use the VLAN
> support in an unusual way. Tag every port with a different VLAN on ingress,
> and subscribe every port to the other VLANs. Mark every port to remove the
> VLAN tag on egress, except the monitoring port. Mirror all the ports to the
> monitoring port. Now you have that one monitoring port that sees all
> traffic, and retains the VLAN tag so you can identify which port it entered
> the switch on. Using that monitoring port, you'll be able to watch for
> packets from a 'rogue' DHCP server, and know which port it arrived on. Or
> any other kind of wayward traffic, for that matter.
Honestly, this sounds a bit difficult. Would the tagged packets be
able to go through other (non-VLAN-capable) switches before getting to
the router? How would I read the tag on the router? An SNMP-solution
seems so much simpler.
More information about the Dnsmasq-discuss
mailing list