Finding the unknown device in the network

tarunjotsingh2k · ‎12-15-2022

Hi everyone. Today, we got a scenario where in our network someone may be plugged into a router with DHCP enabled which is just interfering with the network's DHCP. Now we can't go manually to check where the router is and we even don't have its MAC or any info to check it using the mac address-table command. Now I am getting totally confused about how to resolve this.

On the other hand, the APs we are using in the network when the mobile devices are connected to them, always get the right IP range assigned but the devices like laptops get connected it is getting the wrong IP range.

Kindly suggest something.

MichaelMcCoy · ‎12-15-2022

Hey,

My first step is the following command:

Note this command should not be run on any ports that you currently have set up as "trunk"

Switch#(config)interface range <ports> spanning-tree bpdu guard

If I am not mistaken, that will stop the rogue DHCP server. Of course, you do not want to enter this command on the legit DHCP server port either.

If this helped solved your problem, please don't forget to take the time and mark it as a solution. It not only helps me grow, it helps others who may also have a similar question to know that the provided response may be their answer as well.

Leo Laohoo · ‎12-15-2022

The router is spatting out IP addresses, right?

Go to the core router/switch and pull up the ARP table and filter out the IP addresses the rogue router is pushing. Trace the MAC addresses from there.

Bring a big stick.

MHM Cisco World · ‎12-16-2022

into router,
config acl permit udp 67 for DHCP with log
the log will give you the IP of rogue host, and from there you can find the mac address and interface connect to it.