New DHCP Server Detected

Solved
GFrazier
Building a reputation

New DHCP Server Detected

Received an alert that a new DHCP server was detected.
It is a device that connected to the network via Wi-Fi... There are 3 SSIDs - the device is connected via one SSID that is on a specific VLAN, but the "new DHCP server" was given a different VLAN ID which is a duplicate to an existing VLAN.

 

There is a policy setting in the DHCP Server Configurations that allows or denies DHCP servers...

 

Would setting this to "Deny" affect the DHCP servers configured on the Firewall or does this only apply to end-devices that connect to the LAN?

Or should I just block that particular DHCP Server??

 

1.JPG

1 Accepted Solution
GiacomoS
Meraki Employee
Meraki Employee

Hey @GFrazier , 

I 100% endorse @BlakeRichardson 's suggestion. It's always good practice to grab a packet capture to ascertain whether what you are seeing reflects the actual packets traversing a segment of the network. 

 

I'd also add the for best practices it would be good to set  the allowed DHCP servers, instead of trusting them all, to ensure you are protected against rogue servers. KB with best practices is here. Some more info around DHCP on the MS is here

If you do this, make sure you are specifying all the DHCP servers you have in the network in the Allow list, to avoid the situation where clients may end up not getting an address from the right servers. 

 

Hope this helps!

 

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

View solution in original post

6 Replies 6
Inderdeep
Kind of a big deal
Kind of a big deal

@GFrazier : Check this thread 

https://community.meraki.com/t5/Switching/New-DHCP-Server-detected/m-p/4850#M340

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
GFrazier
Building a reputation

@Inderdeep 

 

Thanks... thing with this is there actually is a device that is connected via Wi-Fi that is detected as a DHCP server.

 

3.JPG

@GFrazier  I would run a packet capture on the MR and see if that device is sending DHCP packets or not.

 

From my understanding the policy you are referring to shouldn't block the MX running as a DHCP server its for blocking 3rd party DHCP traffic. 

 

 

GiacomoS
Meraki Employee
Meraki Employee

Hey @GFrazier , 

I 100% endorse @BlakeRichardson 's suggestion. It's always good practice to grab a packet capture to ascertain whether what you are seeing reflects the actual packets traversing a segment of the network. 

 

I'd also add the for best practices it would be good to set  the allowed DHCP servers, instead of trusting them all, to ensure you are protected against rogue servers. KB with best practices is here. Some more info around DHCP on the MS is here

If you do this, make sure you are specifying all the DHCP servers you have in the network in the Allow list, to avoid the situation where clients may end up not getting an address from the right servers. 

 

Hope this helps!

 

Giac

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
GFrazier
Building a reputation

@Inderdeep 

Thanks for the info

 

@BlakeRichardson and @GiacomoS 

Thanks you for clarifying the DHCP Blocking and sending the documents - I will run the packet capture and make the changes.  

Inderdeep
Kind of a big deal
Kind of a big deal

@GFrazier : Good Luck buddy !

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Get notified when there are additional replies to this discussion.