Locating a rogue DHCP server?

Assuming you know the VLAN that the rogue server is on, trying using a port scanner for UDP port 68 which is the port used by DHCP servers

Maybe you could:

Search for linksys MAC address prefixes at

show mac-address-table | include ...

Reagrds, Markus

Bob skrev:

The best way to do it is examine the ip address the DHCP server has from the client receiving addresses from the rogue server. Then arp that ip address so you have its mac address.

Then on the cisco switches you can do a "show mac-address-table " to find which port it is on.

-SAto

It's a good idea except that LinkSys also makes NICs. A L2 filter on LinkSys OUIs would catch valid users with LinkSys nics.

I've had to deal with this problem before as well. I was on a flat network of about 3000 nodes including multiple dorms. I used EtherPeek to monitor for DHCP server traffic from and IP other than our 2 known DHCP servers. The action of that trigger was an email alert. When I'd get an alert I pull the bogus DHCP server's MAC from the ARP table and dig through the SAT tables (Cabletron for CAM or MAC table) for the offending nic.

The best solution is to apply an ingress ACL on all access-layer interfaces that blocks UDP packets with a source port of 67. Then you don't have to worry about that user affecting the entire broadcast domain.

The damage will already have been done on a layer 2 switch

That's what I needed guys. Thanks.

The branch is remote, so setting up Sniffer or Etherpeek isn't an option. Using what's built-into the Cisco switches is best.

what are the router and switch models and IOS versions at the remote site ?

If there is a router at the remote site, then a filtered debug might provide required info

access-list 101 permit udp any any eq bootpc access-list 101 permit udp any any eq bootps

debug ip packet 101