Tuesday, March 4, 2014

Rogue DHCP Servers: What A Pain

One of my customers today experienced this rogue DHCP server that was handing out chaos on the network.  No one really knew what was going on except that they 'couldn't do anything'.  So when I got onsite and noticed that they had a funny IP address, from a 'server' (or whatever) not meant to be a DHCP server.  Sadly, I could not find this device.  I found where it was 'supposed' to be, via the switch ARP tables, but never could actually find the device.  So, I blocked all access to the device on that VLAN.  What is a guy to do in that case when you just cant find the problem device???  Well, that was my solution.  Probably not the best thing, but that was all I could do with the time I had available.  I just wrote out a simple ACL and applied it to the VLAN interface.  Maybe the customer can find that device in the next day or so.


  1. Very smart move. Can you give an example of the ACL code with a dummy IP for the device?

    1. I think what I did was just block access to that device all together. I think part of that thinking was the hope that someone would say something about their device no being able to do anything. That way we could actually find the device.
      It would look something like this:
      access-list 101 deny ip any host
      access-list 101 permit ip any any

      Then apply to the vlan interface.


Your comment will be reviewed for approval. Thank you for submitting your comments.