How? Rogue DHCP detected by downstream switch

Miyo360
Getting noticed

How? Rogue DHCP detected by downstream switch

Hi,

 

I have an MX64 serving a small, remote office with three VLANs;

 

VLAN 1, MX IP = 192.168.1.1, DHCP enabled

VLAN 10, MX IP = 10.10.10.1, DHCP enabled

VLAN 23, MX IP = 192.168.23.1, DHCP enabled

 

MX Port 1 setup as trunk port, Native = 1, allowed = 10

MX Port 2 setup as access port, VLAN 23

 

Plugged into each MX port is a Unifi Switch with DHCP guarding enabled.

 

MX Port 1: switch guard allows DHCP requests only for 192.168.1.1 & 10.10.10.1

MX Port 2: switch guard allows DHCP requests only for 192.168.23.1

 

I got an alert on the Unifi switch plugged into MX port 1, that a rogue DHCP server was detected at 192.168.23.1 on VLAN 1. This DHCP server is of course the MX interface IP for that VLAN.

 

How can this happen? I have my MX firewall configured to deny all traffic to/from all these VLANs, so how can the switch on port 1 even detect a DHCP server on another VLAN if everything is blocked?

 

What am I missing? Thanks in advance.

6 Replies 6
dalmiroy2k
Getting noticed

VLAN 1 is usually reserved for Meraki Management. I had the same problem with MR33, that it could still connect to VLAN 1 when it shouldn't. Can you reconfigure VLAN 1 to something else, like VLAN 2? 

Miyo360
Getting noticed

@dalmiroy2k Good suggestion. I have made this change, so I'll monitor it.
 

 

Miyo360
Getting noticed

Despite changing the default VLAN to 2, this hasn't solved this problem as I just got another alert. I have now raised a case with Meraki support, who were equally as stumped. Because the Unifi switch is blocking the DHCP request, the MX isn't reporting anything helpful in the Event Log. A case has been created and I will watch for the next alert to try to establish activity around that time (clients arriving, joining the network, leaving, new devices plugged in, etc).

 

I have also turned on remote syslogging for the Unifi switch, so this will hopefully help identify what is happening. I'll update this topic when I have more to share.

BrechtSchamp
Kind of a big deal

Strange. Maybe the MX is using the 23.1 address of the highest VLAN for the DHCP server identification for the DHCP Offers sent to the 1 and 10 VLAN and is that what the Unifi switch is telling you instead of the actual L3 source address it saw on the packets.

 

If I were you I'd take a packet capture on your unifi switch connected to MX port 1. I would want to see the details of that DHCP request.

SoCalRacer
Kind of a big deal

Make sure the DHCP is turned off on the unifi switch. Also best practice would be to change your 192.168.1.0 to 192.168.10.0. reason being is that alot of home wifi or public wifi is in that subnet. We have seen the issue with Macbooks more on the VPN, but they will resolve 192.168.1.0 to a local IP rather than the VPN subnet, if the MX default is 192.168.1.0.

Miyo360
Getting noticed

@SoCalRacer Thanks. DHCP is turned off on the Unifi Switches. The IP address is not exactly 192.168.1.0 as I described - I just simplified it to that for my explanation, but thanks for the reminder about using such a common subnet.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels