Hi,

NPT_2 · ‎07-31-2017

Is there a way to configure either a switch or a router at a small remote site to find rogue DHCP servers such as a user plugging in a home wireless router that issues IP addresses to clients?

I know we could configure DHCP Snooping to only allow DHCP broadcasts from a particular MAC Address (in this case we issue legitimate DHCP addresses from the remote sites 3845 router) however I would be happier to be able to just determine a particular switch port that has a rogue DHCP server on it and shut it down.

Is there an easy way to do this?

The basic configuration of a typical remote site would be something like this:

Headquarters-----------------------RemoteCiscoRouter-------------CiscoSwitch--------------------CiscoSwitch-------------CiscoSwitch

Typically Remote Routers would be 2800 or 3800 series (Acting as the gateway and DHCP Server) and the switches vary but could be in the 3550, 2960, or similar switches. The remote sites are on a single layer 2 VLAN/Subnet.

What do you think?

Deepak Kumar · ‎07-31-2017

Hi,

We have the following solution for your issue:

1. Configure DHCP Snooping

2. Use Third party tool as Microsoft

Solution 1: You know about DHCP Snooping configuration but may be you have some limitation, so you don't want to use it.

Solution: Please use "DHCPLOC Utility" to find fake DHCP server and check ARP and mac address. After that, you will find the port number.

Reference URL: https://gallery.technet.microsoft.com/DHCPLOC-Utility-34262d82

https://www.symantec.com/connect/downloads/detect-rogue-dhcp-servers-network

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Finding Rogue DHCP Server at Remote Site