Thursday, October 22, 2015
The Hunt For The Rogue DHCP Server
Man, I hate these things. You know, when someone plugs in a device that gives out DHCP by default, just so they can have more than one port to plug into for their devices? I had this happen on a network, where the 10.254.236.X address was being given out to some clients. This turned a little ugly, since the whole network (including remotes) reside on a single vlan with L2 across to the remote sites. I was able to track it down though. I had to ping the default gateway (which was the rogue dhcp server) to get an mac address entry on the PC. Once I had that (by doing arp -a on the PC on the command prompt), then I was able to find the mac address on the switching gear. I tracked it down through several switches (across the MPLS network) and shut down the port. When I went onsite to find it, it lead me to the place below. Where it goes, no one knows.