From: Jeffrey Sessler (Jeff@scrippscollege.edu)
Date: Wed Oct 15 2003 - 12:33:28 CDT
To combat the rouge DHCP servers we employ a VLAN filter on our Cisco
3750 edge devices that prevent the response from getting off of the
users port. We employ the same technique to prevent residential network
devices that employ Microsoft's Universal plug and play (UPnP) from
advertising.
We are currently compiling a list of Mac Address prefixes used by WAP's
so that we can use the same VLAN filters to prevent them from showing up
on our residential network without our knowing.
Last, but not least, we are waiting for Cisco to port their DHCP
snooping and IP source guard to the 3750 edges. These two features
prevent an end-station from getting on the network with anything other
than the IP assigned by the DHCP server. The switch listens for the DHCP
response to the end station and then creates an on-the-fly ACL that
permits only the DHCP assigned IP from talking on the user's port. This
prevents users from forging IP's to get on the network and, will make
NetReg that much more fool-proof.
Jeff
> Hi!
>
> I'm curious about what some of you are doing to deal with WAPs and
other
> small router boxes. Verboten? How do you find them? Or, if you
allow
> them, have you noticed that if a user registers while behind one that
the
> MAC address of the WAP/router is registered, not the computer's? The
the
> device is capable of NAT, then things can get really interesting.
Any
> useful strategies?
>
> I've had a couple that were mis-configured, or even connected
backwards
> so that I suddenly had a rogue DHCP server/router on the LAN side,
such
> that other students were getting RFC 1918 addresses, but getting
service
> by being routed through the DSL/Cable router.
>
> -Robert
>
>
**********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
>
**********************************************************************
-- ********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************Jeffrey D Sessler Assistant Director of Technical Services Scripps College
********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:41 CDT