I'm continuing to lock down my network gear using the DISA standards. After implementing an ACL on a multi-layer switch that denies access to unknown subnets, the syslog server started recording two IP addresses about every 7 minutes that are being blocked. The IP addresses are in the 169.254.0.0 /16 network. This seems to indicate that the machines used a link local address, probably because they didn't have an IP address set (no DHCP on this isolated network). Without physically touching each machine is there a way to find out which port(s) these packets are coming in on? The multi-layer switch is a stack of Cisco 3750Gs with cross-stack ether-channel to 4 Cisco 2960Gs.
SnapOverflow
Usually your intrusion detection log for a rogue IP address would list the MAC, but since it does not, you can try the following.
Log onto your Cisco Device. Ping the rogue IP. Of course if you ACL is blocking access, this might be problematic.
This will hopefully get the device's MAC address into the ARP table of the Cisco.
This will list the MAC address as well as the IP it is associated with. It will look something like:
Where 2222.aaaa.bbbb is the MAC address.
Finally run:
To show the port. Where 2222.aaaa.bbbb is the mac address.
That will show you MAC-to-port mappings.