Security Incidents mailing list archives

Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only

From: tsteeves () uvic ca
Date: 12 Apr 2006 18:12:28 -0000

Take an IP from the source host network and add it as a secondary IP on the routed interface for the vlan - for the 
0.10.94.27 host add "ip address 0.10.94.254 secondary" to the router. Then do a broadcast ping from the router - ping 
0.10.94.255. Then show the arp cache for the vlan - show ip arp vlan xxx | include 0.10.94. - Do you see any entries 
besides the router interface? If no, you probably have a misconfigured/buggy device on the network. If  there are 
entries, you will be provided with MAC addresses which you can track down easily to the switchport in question. I use 
this technique to track down rougue DHCP servers, Access Points etc.

Current thread:

Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 09)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Valdis . Kletnieks (Apr 10)
  - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
- <Possible follow-ups>
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Stef (Apr 10)
  - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Roland Dobbins (Apr 10)
    - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only AJ Cochenour (Apr 11)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only stcroix111 (Apr 10)
- Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only tsteeves (Apr 12)
  - RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only David Gillett (Apr 12)
    - Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only Lupe Christoph (Apr 13)