Hey, I work on a very large coporate network and we see this kind of thing constantly. The issue here is almost always an "uneducated end-user" enabling a DHCP server on their system. Its pretty easy to do this with certain OS's especially with the advent of laptops and internet connection sharing. I do not think that filtering an offending MAC is a long term solution to this type of issue. Especially since there is no way to proactively stop this type of activity on a broadcast domain considering that every host connected is a potential violator.
The best solution I have for rogue dhcp servers is to track down the offending system's MAC address, trace his MAC to the switchport, and shutodwn the port until you can track the physical location. There are some pretty good security uses for MAC address filtering though and so here are your options for frame filtering based on MAC addresses... There are a couple of things you could do to limit traffic based on MAC addresses. 1. You can enable port security on the offending MAC addresses switchport and simply filter his MAC address. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_5/cnfg_gd/sec_port.htm However, this would only limit the users current port unless you wanted to block his MAC on every switchport throughout your network and the administration overhead in this situation would be horrendous. The Better option... 2. Configure Dynamic VLANs throughout your switched network. http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_2/config/vmps.htm This is actually pretty effective for MAC filtering. For example what if the offender is moving from switchport to switchport with a laptop and or wireless connection. You could simply add the MAC address to an offenders list which would auto assign him to a non-routed VLAN and then just kick back and wait for him to call helpdesk instead of tracking the offender down, they would have to come to you(if they ever wanted to get access back). Of course the upfront work is possibly a little greater in this case. You have to track every MAC address in your network but the results are a much tighter and more proactive security counter-measures. The bottom line here is you just cant stop broadcast frames with ACL's and until you can, see above. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45616&t=45350 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]