Today morning I was late to arrive at my office due to some problems, when I came I saw my colleagues were trying hard to figure out the rouge DHCP server detected in our helpdesk VLAN. All our users in the help desk and call center were getting an IP address from the Rouge DHCP server and they were not able to access our Network. I tried to figure out the physical location of the rouge DHCP server but I failed to find.

Immediately I thought let me figure out the Mac address of the rouge DHCP server so that I can block its network access.

I went one of the affected systems and from the command prompt; I used the “arp –a followed by the rouge DHCP server as show below

C:\>arp -a 192.168.142.2

Interface: 192.168.142.96 — 0xb

  Internet Address      Physical Address      Type

  192.168.142.2           00-16-35-c1-7f-cc     dynamic

Once I got the Mac address, immediately I logged into a Cisco 3560 Switch connected in that area. From the privilege mode I used “show mac-address table” command to figure out the interface in which the rouge DHCP is connected.

RRBM-ITD-3560-AS01#sho mac address-table

          Mac Address Table

——————————————-

Vlan    Mac Address       Type        Ports

—-    ———–       ——–    —–

 All    0100.0ccc.cccc    STATIC      CPU

 All    0100.0ccc.cccd    STATIC      CPU

All    ffff.ffff.ffff    STATIC      CPU

 129    0000.0c07.ac3a    DYNAMIC     Gi0/52

 129    0002.e356.9cfa    DYNAMIC     Gi0/52

 129    0002.e356.a78f    DYNAMIC     Gi0/39

 129    000e.7fd8.6cff    DYNAMIC     Gi0/7

 129    000f.fe0a.1ff7    DYNAMIC     Gi0/22

 129    0016.35c1.7fcc  DYNAMIC     Gi0/36

 129    000f.fe6f.5d5c    DYNAMIC     Gi0/52

 129    000f.fe6f.5e46    DYNAMIC     Gi0/52

 129    000f.fe93.d890    DYNAMIC     Gi0/8

 129    000f.fe93.fcb0    DYNAMIC     Gi0/7

 129    000f.fe93.fcb8    DYNAMIC     Gi0/52

 129    000f.fe96.0920    DYNAMIC     Gi0/38

 129    000f.fe96.5478    DYNAMIC     Gi0/52

RRBM-ITD-3560-AS01#

Once I detected the interface to which the rouge DHCP sever connected, I disabled the interface in the Cisco 3560 Switch.

RRBM-ITD-3560-AS01# configure t

Enter configuration commands, one per line.  End with CNTL/Z.

RRBM-ITD-3560-AS01(config)#interface gigabitEthernet 0/36

RRBM-ITD-3560-AS01(config-if)#shutdown

RRBM-ITD-3560-AS01(config-if)#description ROUGE DHCP

RRBM-ITD-3560-AS01(config-if)#exit

RRBM-ITD-3560-AS01#

To prevent this from happening I configured the DHCP snooping in the Cisco 3560 Switch.

After careful inspection we figured out the rouge DHCP sever was running in a Virtual Machine, one of our aspiring professional was testing Active directory and DHCP services in a Virtual Windows 2003 Server.

Whenever you come across this kind of situation doesn’t panic just try to troubleshoot the problem in a systematic way. Just by following few simple steps you can eliminate this problem.

The keys steps

Step 1 – Figure out the MAC address using the “arp –a” followed by ip address of the rouge DHCP server from the affected PC.

Step 2- Log into your Switch and figure out the interface to which the rouge DHCP server is connected “Show mac-address table” (Cisco IOS Switches).

Step 3- Disable the interface connected to the rouge DHCP server in your Switch “shutdown” (Cisco IOS Switches).

Step 4 – Take precaution by configuring DHCP snooping in your Network.