Meraki

Community

Security appliance has detected a rogue DHCP server

AndreHTP
Comes here often
‎Jan 14 2022 9:04 AM
‎Jan 14 2022 9:04 AM

Security appliance has detected a rogue DHCP server

Hi there,

 

Once a week we get an alert:

 

The security appliance in the Redacted - appliance network has detected a rogue DHCP server in your network.

A rogue DHCP server was found on VLAN 1 serving addresses with the subnet redacted/24. The server has MAC address redacted and IP redacted

 

The MAC and IP it shows are for a Windows server on the network that is the legitimate DHCP server for the network. The security device itself is set to ignore DHCP requests on VLAN 1. I have checked the DHCP servers & ARP page under switch and the DHCP server is listed there as allowed.

 

I would like to be able to stop these false positives without turning the rogue DHCP detection off completely. Does anyone know of a way to do this? 

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 14 2022 1:06 PM
‎Jan 14 2022 1:06 PM

Are you sure DHCP (including relay) on the MX is completely disabled on that VLAN?

It doesn't usually falsely alert.

0 Kudos
In response to PhilipDAth
AndreHTP
Comes here often
‎Jan 17 2022 12:32 AM
‎Jan 17 2022 12:32 AM

HI @Philip 

 

You can see a screen grab below:

AndreHTP_0-1642408327957.png

 

0 Kudos
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 15 2022 1:31 PM
‎Jan 15 2022 1:31 PM

Does the specified IP really match the IP address? I'd assume that something like teaming is in place that changes the MAC <-> IP binding.

0 Kudos
In response to CptnCrnch
AndreHTP
Comes here often
‎Jan 17 2022 12:41 AM
‎Jan 17 2022 12:41 AM

Hi @CptnCrnch 

 

The DHCP server in question is a VM. Neither the VM or it's host server use NIC teaming. I've confirmed the IP and the MAC address in the alert corresponds to the same on the VM.

0 Kudos
In response to AndreHTP
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jan 17 2022 2:30 AM
‎Jan 17 2022 2:30 AM

Sorry for the dumb question, but is this server listed as "Allowed"?

https://documentation.meraki.com/MS/Monitoring_and_Reporting/MS_DHCP_Servers#Allowed_DHCP_Servers

0 Kudos
In response to CptnCrnch
AndreHTP
Comes here often
‎Jan 18 2022 1:04 AM
‎Jan 18 2022 1:04 AM

@CptnCrnch  there are no dumb questions 🙂

 

I did check this and the server is there with the correct IP, MAC address and hostname.I would post a screenshot but I'd have to redact half of it. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.