Re: Rogue dhcp

Petty Talamayan · ‎11-16-2025

we have a 9407 and several small business edge switches, we recently had an issue where we lost internet connection in the whole facility, we started troubleshooting using elimination; we were able to identify the switches that created the issue. How do we drill down to find either a rogue dhcp or dhcp looping?

Kasun Bandara · ‎11-16-2025

@Petty Talamayan hi, when you facing the issue, easiest way is check the DHCP server IP in any client PC which have wrong IP. then trace the MAC address of that rough DHCP server within network.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Petty Talamayan · ‎11-16-2025

The problem is when we reconnect the feed to that switch where the rogue server is located, we lose internet/lan connection to the whole facility, unable to issue an iprenew/release.

Kasun Bandara · ‎11-16-2025

hi @Petty Talamayan when issue occurs, are you getting any IP in the PC?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Petty Talamayan · ‎11-17-2025

We haven’t tried that yet but we believe our core’s ip was taken by the rogue server as we lose internet when we reconnect that switch to the network, the core is our internet gateway.

Giuseppe Larosa · ‎11-17-2025

Hello @Petty Talamayan ,

you should deploy two hosts with static IP address ( manually configured) so that those two are not impacted by the rogue DHCP server.

The long term solution may be DHCP snooping , but you need to verify on the small business switches if they support it.

Hope to help

Giuseppe

Petty Talamayan · ‎11-17-2025

When you say two host, two dhcp servers?

We are using catalysts 1300/1200 as edge switches and they do support ip dhcp snooping, they are also enabled, do we need to do ip dhcp snooping trust on the feed ports?

Petty Talamayan · ‎11-17-2025

If we change the DHCP server’s IP address, will that help and does it only impacts the statically assigned devices?
Same with the Core/gateway?

Giuseppe Larosa · ‎11-17-2025

Hello @Petty Talamayan ,

DHCP snooping trust only on ports towards DHCP servers all other ports to be left untrusted.

my suggestion was to have at least two host devices with manually set IP addresses to be able to reach them in any case.

The ufficial DHCP servers can be on site or not.

Hope to help

Giuseppe

tinil · ‎11-18-2025

You can do it with a packet capture:
1. Setup a Wireshark capture on the client machine.
2. Run ipconfig /release followed by ipconfig /renew to force a new dora process.
3. Look at the DHCP Offer packets:
If there is NO DHCP relay: the source MAC and source IP in the OFFER belong to the actual DHCP server.
If there is a DHCP relay: the source MAC/IP will be the gateway (relay), so check DHCP Option 54 it shows the real server’s IP.
4. If you see Offer packets which is identified an unexpected server (either in the source fields or in Option 54), that is your rogue DHCP server

pieterh · ‎11-18-2025

>>> we lose internet/lan connection to the whole facility <<<
looks to me this is not just a DHCP issue, because clients that already have an IP-address should retain their current DHCP address. and continue to work.
but the rogue device may use the ip-address of the "official" gateway in that vlan
check the logs of the gateway for conflicting ip-addresses.

check the arp entries at the clients
if you find multiple MAC addresses for the gateway's ip-address, then trace the mac addres back to a switchport.