Thursday, October 22, 2015

The Hunt For The Rogue DHCP Server

Man, I hate these things.  You know, when someone plugs in a device that gives out DHCP by default, just so they can have more than one port to plug into for their devices?  I had this happen on a network, where the 10.254.236.X address was being given out to some clients.  This turned a little ugly, since the whole network (including remotes) reside on a single vlan with L2 across to the remote sites.  I was able to track it down though.  I had to ping the default gateway (which was the rogue dhcp server) to get an mac address entry on the PC.  Once I had that (by doing arp -a on the PC on the command prompt), then I was able to find the mac address on the switching gear.  I tracked it down through several switches (across the MPLS network) and shut down the port.  When I went onsite to find it, it lead me to the place below.  Where it goes, no one knows.


  1. Great detective work! I had the same thing a while back...a user had installed a "home" router just to get WiFi coverage. Traced it down through several switches, and confiscated it! (With a bit of attitude, you don't mess with my network dude...I WILL hunt you down!!)

    1. Yeah, what a pain. There should probably be policies against this sort of thing.


Your comment will be reviewed for approval. Thank you for submitting your comments.