Question
Thread display: Collapse - |
All Answers
Start or search
Create a new discussion
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Rogue LAN device: I'm stumped
Cisco port security is enabled on each port. Only the assigned mac address can connect to a switch port, except that conference rooms get assigned a list of mac addresses. Only company PCs are allowed on the lan, no exceptions.
Regular sweeps are performed to ensure that there is no WLAN here and the Disknet LAN security tool disables WLAN and bluetooth interfaces on all laptops (as well as USB jump drives, CD-ROMs, DVDs, floppys, ipods, etc).
With Cisco port security, a WLAN AP or router would not work, since the port would get disabled when the rogue AP or router was plugged into the network, since the mac address would be wrong.
When running a Wireshark trace from a switched port on the main VLAN, I noticed three workstations that appear to be Sony laptops (by their OUID) that I could see are sending TCP packets and doing Netbios queries from an IP address that is not part of the network, and a mac address which is also not on the ACL for any of the switches.
The ip address range for the main network is 135.x.x.x, vlans are 10.x and 192.x.
This rogue device is a 12.x.x.x address. (IP space registered to AT&T). I tried setting my workstation to a 12.x address, tried nmapping the rogue device, but no joy. I can see some netbios info, but the workgroup name is 'workgroup' and the netbios name that is being queried is something I never heard of "COANT4.VICP.NET" (this is a NetBios name, query, not DNS).
At this point I'm stumped. My guesses are:
a) a rogue laptop, like a contractor, is somehow plugged into a port that somehow has security turned off. Note that firewall rules would not give this device internet access, since that is granted explicitly from firewall rules.
b) Several misconfigured laptops are somehow bridging it's WLAN or Cellular-modem to the ethernet interface.
c) same as above, but one misconfigured laptop, bridging it's wlan interface to the ethernet interface, and the multiple rogue IP addresses are WLAN clients on a remote wireless LAN.
Next stop is to walk the building to look for Sony laptops.