Security appliance has detected a rogue DHCP server

AndreHTP
Comes here often

Security appliance has detected a rogue DHCP server

Hi there,

 

Once a week we get an alert:

 

The security appliance in the Redacted - appliance network has detected a rogue DHCP server in your network.

A rogue DHCP server was found on VLAN 1 serving addresses with the subnet redacted/24. The server has MAC address redacted and IP redacted

 

The MAC and IP it shows are for a Windows server on the network that is the legitimate DHCP server for the network. The security device itself is set to ignore DHCP requests on VLAN 1. I have checked the DHCP servers & ARP page under switch and the DHCP server is listed there as allowed.

 

I would like to be able to stop these false positives without turning the rogue DHCP detection off completely. Does anyone know of a way to do this? 

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you sure DHCP (including relay) on the MX is completely disabled on that VLAN?

It doesn't usually falsely alert.

HI @Philip 

 

You can see a screen grab below:

AndreHTP_0-1642408327957.png

 

CptnCrnch
Kind of a big deal
Kind of a big deal

Does the specified IP really match the IP address? I'd assume that something like teaming is in place that changes the MAC <-> IP binding.

Hi @CptnCrnch 

 

The DHCP server in question is a VM. Neither the VM or it's host server use NIC teaming. I've confirmed the IP and the MAC address in the alert corresponds to the same on the VM.

CptnCrnch
Kind of a big deal
Kind of a big deal

Sorry for the dumb question, but is this server listed as "Allowed"?

https://documentation.meraki.com/MS/Monitoring_and_Reporting/MS_DHCP_Servers#Allowed_DHCP_Servers

@CptnCrnch  there are no dumb questions 🙂

 

I did check this and the server is there with the correct IP, MAC address and hostname.I would post a screenshot but I'd have to redact half of it. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels