Today morning I was late to arrive at my office due to some problems, when I came I saw my colleagues were trying hard to figure out the rouge DHCP server detected in our helpdesk VLAN. All our users in the help desk and call center were getting an IP address from the Rouge DHCP server and they were not able to access our Network. I tried to figure out the physical location of the rouge DHCP server but I failed to find.
Immediately I thought let me figure out the Mac address of the rouge DHCP server so that I can block its network access.
I went one of the affected systems and from the command prompt; I used the “arp –a followed by the rouge DHCP server as show below
C:\>arp -a 192.168.142.2
Interface: 192.168.142.96 — 0xb
Internet Address Physical Address Type
192.168.142.2 00-16-35-c1-7f-cc dynamic
Once I got the Mac address, immediately I logged into a Cisco 3560 Switch connected in that area. From the privilege mode I used “show mac-address table” command to figure out the interface in which the rouge DHCP is connected.
RRBM-ITD-3560-AS01#sho mac address-table
Mac Address Table
Vlan Mac Address Type Ports
—- ———– ——– —–
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All ffff.ffff.ffff STATIC CPU
129 0000.0c07.ac3a DYNAMIC Gi0/52
129 0002.e356.9cfa DYNAMIC Gi0/52
129 0002.e356.a78f DYNAMIC Gi0/39
129 000e.7fd8.6cff DYNAMIC Gi0/7
129 000f.fe0a.1ff7 DYNAMIC Gi0/22
129 0016.35c1.7fcc DYNAMIC Gi0/36
129 000f.fe6f.5d5c DYNAMIC Gi0/52
129 000f.fe6f.5e46 DYNAMIC Gi0/52
129 000f.fe93.d890 DYNAMIC Gi0/8
129 000f.fe93.fcb0 DYNAMIC Gi0/7
129 000f.fe93.fcb8 DYNAMIC Gi0/52
129 000f.fe96.0920 DYNAMIC Gi0/38
129 000f.fe96.5478 DYNAMIC Gi0/52
Once I detected the interface to which the rouge DHCP sever connected, I disabled the interface in the Cisco 3560 Switch.
RRBM-ITD-3560-AS01# configure t
Enter configuration commands, one per line. End with CNTL/Z.
RRBM-ITD-3560-AS01(config)#interface gigabitEthernet 0/36
RRBM-ITD-3560-AS01(config-if)#description ROUGE DHCP
To prevent this from happening I configured the DHCP snooping in the Cisco 3560 Switch.
After careful inspection we figured out the rouge DHCP sever was running in a Virtual Machine, one of our aspiring professional was testing Active directory and DHCP services in a Virtual Windows 2003 Server.
Whenever you come across this kind of situation doesn’t panic just try to troubleshoot the problem in a systematic way. Just by following few simple steps you can eliminate this problem.
The keys steps
Step 1 – Figure out the MAC address using the “arp –a” followed by ip address of the rouge DHCP server from the affected PC.
Step 2- Log into your Switch and figure out the interface to which the rouge DHCP server is connected “Show mac-address table” (Cisco IOS Switches).
Step 3- Disable the interface connected to the rouge DHCP server in your Switch “shutdown” (Cisco IOS Switches).
Step 4 – Take precaution by configuring DHCP snooping in your Network.