cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How? Rogue DHCP detected by downstream switch

Highlighted
Getting noticed

How? Rogue DHCP detected by downstream switch

Hi,

 

I have an MX64 serving a small, remote office with three VLANs;

 

VLAN 1, MX IP = 192.168.1.1, DHCP enabled

VLAN 10, MX IP = 10.10.10.1, DHCP enabled

VLAN 23, MX IP = 192.168.23.1, DHCP enabled

 

MX Port 1 setup as trunk port, Native = 1, allowed = 10

MX Port 2 setup as access port, VLAN 23

 

Plugged into each MX port is a Unifi Switch with DHCP guarding enabled.

 

MX Port 1: switch guard allows DHCP requests only for 192.168.1.1 & 10.10.10.1

MX Port 2: switch guard allows DHCP requests only for 192.168.23.1

 

I got an alert on the Unifi switch plugged into MX port 1, that a rogue DHCP server was detected at 192.168.23.1 on VLAN 1. This DHCP server is of course the MX interface IP for that VLAN.

 

How can this happen? I have my MX firewall configured to deny all traffic to/from all these VLANs, so how can the switch on port 1 even detect a DHCP server on another VLAN if everything is blocked?

 

What am I missing? Thanks in advance.

6 REPLIES 6
Highlighted
Getting noticed

Re: How? Rogue DHCP detected by downstream switch

VLAN 1 is usually reserved for Meraki Management. I had the same problem with MR33, that it could still connect to VLAN 1 when it shouldn't. Can you reconfigure VLAN 1 to something else, like VLAN 2? 

Highlighted
Getting noticed

Re: How? Rogue DHCP detected by downstream switch

@dalmiroy2k Good suggestion. I have made this change, so I'll monitor it.
 

 

Highlighted
Getting noticed

Re: How? Rogue DHCP detected by downstream switch

Despite changing the default VLAN to 2, this hasn't solved this problem as I just got another alert. I have now raised a case with Meraki support, who were equally as stumped. Because the Unifi switch is blocking the DHCP request, the MX isn't reporting anything helpful in the Event Log. A case has been created and I will watch for the next alert to try to establish activity around that time (clients arriving, joining the network, leaving, new devices plugged in, etc).

 

I have also turned on remote syslogging for the Unifi switch, so this will hopefully help identify what is happening. I'll update this topic when I have more to share.

Highlighted
Kind of a big deal

Re: How? Rogue DHCP detected by downstream switch

Strange. Maybe the MX is using the 23.1 address of the highest VLAN for the DHCP server identification for the DHCP Offers sent to the 1 and 10 VLAN and is that what the Unifi switch is telling you instead of the actual L3 source address it saw on the packets.

 

If I were you I'd take a packet capture on your unifi switch connected to MX port 1. I would want to see the details of that DHCP request.

Highlighted
Kind of a big deal

Re: How? Rogue DHCP detected by downstream switch

Make sure the DHCP is turned off on the unifi switch. Also best practice would be to change your 192.168.1.0 to 192.168.10.0. reason being is that alot of home wifi or public wifi is in that subnet. We have seen the issue with Macbooks more on the VPN, but they will resolve 192.168.1.0 to a local IP rather than the VPN subnet, if the MX default is 192.168.1.0.

Highlighted
Getting noticed

Re: How? Rogue DHCP detected by downstream switch

@SoCalRacer Thanks. DHCP is turned off on the Unifi Switches. The IP address is not exactly 192.168.1.0 as I described - I just simplified it to that for my explanation, but thanks for the reminder about using such a common subnet.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.