Hi there,
Once a week we get an alert:
The security appliance in the Redacted - appliance network has detected a rogue DHCP server in your network.
A rogue DHCP server was found on VLAN 1 serving addresses with the subnet redacted/24. The server has MAC address redacted and IP redacted
The MAC and IP it shows are for a Windows server on the network that is the legitimate DHCP server for the network. The security device itself is set to ignore DHCP requests on VLAN 1. I have checked the DHCP servers & ARP page under switch and the DHCP server is listed there as allowed.
I would like to be able to stop these false positives without turning the rogue DHCP detection off completely. Does anyone know of a way to do this?
Are you sure DHCP (including relay) on the MX is completely disabled on that VLAN?
It doesn't usually falsely alert.
Does the specified IP really match the IP address? I'd assume that something like teaming is in place that changes the MAC <-> IP binding.
Hi @CptnCrnch
The DHCP server in question is a VM. Neither the VM or it's host server use NIC teaming. I've confirmed the IP and the MAC address in the alert corresponds to the same on the VM.
Sorry for the dumb question, but is this server listed as "Allowed"?
https://documentation.meraki.com/MS/Monitoring_and_Reporting/MS_DHCP_Servers#Allowed_DHCP_Servers
@CptnCrnch there are no dumb questions 🙂
I did check this and the server is there with the correct IP, MAC address and hostname.I would post a screenshot but I'd have to redact half of it.