HOW TO FIND A ROGUE DHCP SERVER ON YOUR NETWORK

 Symptoms: Some clients are unable to connect to the internet or LAN . Some clients report a different IP address, subnet mask and default gateway, compared to others.

 

 

Diagnosis:

 

1.      Allow a PC or Laptop to get an IP address from the Rogue DHCP Server.

2.       Once you've got an IP from the Rogue DHCP Server, look at the ethernet adaptor's status, and get the IP of the default gateway.  For this example, we'll call it 192.168.0.1

3.       From switch this subnet should not be there so relocated the Rouge DHCP via IP is difficult.

4.       Ping the default gateway for a few seconds.  We need to do this to populate the ARP table.

5.       In a PC Cmd/Terminal window, run the command to view the ARP table.  On windows, this is `arp -a`.

What you're looking for is the mapping between the IP address and the Physical (MAC) address.

 

IP address                           Physical Address
192.168.0.1                         e8cc.1840.2600

6.       Go to MAC finder online Site and paste the found Physical/MAC address of the rogue.  This will tell you who made the device.

7.       Start MAC trace from switch to identify the port and switch information where this Rouge DHCP Server connected. Shut down the port and again check the LAPTOP are still reach the Rouge DHCP Server and Status for NIC IP address also.

Solution:

Enable DHCP Snooping to avoid ROGUE DHCP SERVER