RE: How I fixed the network I broke.

From: Jonathan V Hays (jhays@jtan.com)
Date: Tue Nov 25 2003 - 09:49:07 GMT-3

• Next message: Kenneth Wygand: "RE: Order of ACL statements"
• Previous message: Kelly, Russell G: "RE: NetMasterClass Sample Lab (QoS config)"
• Maybe in reply to: Michael Snyder: "How I fixed the network I broke."
• Next in thread: Brian McGahan: "RE: How I fixed the network I broke."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Michael,

I know that I personally am usually too embarrassed to report this sort
of thing but your posts may help many others. Thanks for having the
courage to share - it is appreciated.

Usually when I run into this kind of situation (I assume you didn't have
the luxury of putting a sniffer on the switch beforehand) I like to add
an ACL with a few "permit any log" statements and watch the log for a
while. However, I wonder if this is even possible with a VLAN map? Or
maybe I should ask, was it a VLAN map? And out of curiosity, what kind
of switch was it?

Thanks,

Jonathan

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Michael Snyder
Sent: Sunday, November 23, 2003 10:42 PM
To: ccielab@groupstudy.com
Subject: How I fixed the network I broke.

What I broke was DHCP.
 

It seems when a client doesn't have ip address, it broadcasts to udp
255.255.255.255 from udp address 0.0.0.0 asking for a ip address.

I had allowed all normal unicast traffic, but didn't think about dhcp.

After a google search I added the following statement.

Permit udp host 0.0.0.0 eq 68 host 255.255.255.255 eq 67

The reason I thought of this for a Groupstudy posting, is couldn't you
envision this on the lab?

Have a good restrictive access list on interface, then much later in the
lab; they say also add dhcp to that router. I know I would just think
easy points and move on.

Just a thought.

------------------------------------------------------------------------
--------------

I had a real world experience to share.

Testing out ids, I found a lot of spoofed traffic on a clients network.

I believe it was one of the newer worms out at the time. I had a tech
tracking down the infected machines.

I noticed that a lot of the traffic was neither sourced nor destined for
the network I was on, and it wasn't on a transit network!

So, I figure I can take care of that, and threw a vlan filter on the
switch.

Where a.b.c.d = clients network.

Permit ip a.b.c.d 0.0.0.255 any
Permit ip any a.b.c.d 0.0.0.255

Get a call the next day. Network is broke.

Can anyone guess what I broke?

Continued on next email.

Michael Snyder
Lead Network Engineer
CCDP, CCSP, MCSE NT/2000
Revolution Computer Systems
(270) 443-7400

• Next message: Kenneth Wygand: "RE: Order of ACL statements"
• Previous message: Kelly, Russell G: "RE: NetMasterClass Sample Lab (QoS config)"
• Maybe in reply to: Michael Snyder: "How I fixed the network I broke."
• Next in thread: Brian McGahan: "RE: How I fixed the network I broke."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:17 GMT-3