Thursday, October 22, 2015

The Hunt For The Rogue DHCP Server

Man, I hate these things.  You know, when someone plugs in a device that gives out DHCP by default, just so they can have more than one port to plug into for their devices?  I had this happen on a network, where the 10.254.236.X address was being given out to some clients.  This turned a little ugly, since the whole network (including remotes) reside on a single vlan with L2 across to the remote sites.  I was able to track it down though.  I had to ping the default gateway (which was the rogue dhcp server) to get an mac address entry on the PC.  Once I had that (by doing arp -a on the PC on the command prompt), then I was able to find the mac address on the switching gear.  I tracked it down through several switches (across the MPLS network) and shut down the port.  When I went onsite to find it, it lead me to the place below.  Where it goes, no one knows.

Posted by

2 comments:

  1. Brad MooreOctober 22, 2015 at 1:23 PM

    Great detective work! I had the same thing a while back...a user had installed a "home" router just to get WiFi coverage. Traced it down through several switches, and confiscated it! (With a bit of attitude too...like, you don't mess with my network dude...I WILL hunt you down!!)

    ReplyDelete
    Replies
    1. ShaneOctober 22, 2015 at 7:40 PM

      Yeah, what a pain. There should probably be policies against this sort of thing.

      Delete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)