10-06-2023 04:15 AM
Some oddity I encountered today.
I installed and ran WireShark on a Windows server that is connected to a WS-C2950G-48-EI port.
The port is in access mode with a VLANx other than VLAN1.
Scattered across the LAN are multiple CBS350's.
All our switches are in a separate management VLANy.
So as I was starting to troubleshoot some DHCP stuff using WireShark, all of a sudden I noticed DHCP Discover messages coming in from those CBS350's. Upon which the server, running DHCP, sent offers. No further communication between the two.
So just two frames/packets per discover and that for each CBS350; repeated every 12 seconds.
Looking into the frames, the host name (option 12) revealed the sources, i.e. the CBS350's in our network.
Looking deeper, the origination MAC addresses are the ones from the CBS350's VLAN 1 interface.
VLAN 1 however is not used in our network, but was left configured default on the CBS350, hence apparently trying DHCP requests every 12 seconds.
I can easily stop those VLAN 1 interfaces from requesting IP via DHCP by setting the interface to no ip address dhcp.
BUT, how is it possible that VLAN 1 DHCP Discovers are captured on an access port in a totally different VLAN?
Anyone have a clue?
Regards
Koen
10-06-2023 05:30 AM
I think I have figured out.
Somewhere in our network a VLAN 1 access port is physically hooked into a access port withn the server's VLANx.
On for the hunt of those ports.
10-13-2023 11:20 PM
Hello
Enable dhcp snopping on all l2 access switches - only trusting the uplinks towards your dhcp server
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide