rogue network

[burtsbees]

Google (even using search tricks, like inurl, intitle, file.blablabla, etc) reveals nothing...

Has anyone ever had "crowe.local" show up on their ethernet interface as the local network? I'm guessing at some time someone may have plugged their little dsl router or maybe even a little personal print server on the network here, and it wrote tio the registry of something that remains on the LAN (like a local file server, DC (scary!), etc)...sounds like someone's last name to me, but for the life of me I can't find where it's cominng from...not too many tools here to work with (Lancope or Orion w/netflow in the edge routers would be nice...)---I'm stuck with show commands and debugs in Cisco switches (edge routers are controlled by the provider, we only control the layer 2 domain behind the routers)...

Thanks!

--Tim

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[burtsbees]

Forgot to mention---I doubt it was ever any rogue WAP---I looked in Prime/ISE, and we have rogue detection APs hung off of the controllers.

--Tim

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY

 

[ChrisHirst]

Do any users 'dial in' or connect through a VPN or have laptops, tablets, phones etc that they also use "off site"?

Because if they have an "always add suffix" declared in their network setting ...

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[kjv1611]

Hey, here's a way to get some more information on it. Block it. Eventually something will break or someone will raise their hand for help, unless they didn't want it being found to begin with. Either way, I think that'll get you to your end solution than trying to figure it out otherwise.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57

 

[burtsbees]

Nope, someone's personal Netgear router like I kinda thought at first...just never saw someone have a .local nw profile. kjv1611, the first thing I did was kill the switchport to which it was connected. I separated shit and re-enabled the port so I could NMAP it.

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY