Security appliance has detected a rogue DHCP server

Comes here often

Security appliance has detected a rogue DHCP server

Hi there,


Once a week we get an alert:


The security appliance in the Redacted - appliance network has detected a rogue DHCP server in your network.

A rogue DHCP server was found on VLAN 1 serving addresses with the subnet redacted/24. The server has MAC address redacted and IP redacted


The MAC and IP it shows are for a Windows server on the network that is the legitimate DHCP server for the network. The security device itself is set to ignore DHCP requests on VLAN 1. I have checked the DHCP servers & ARP page under switch and the DHCP server is listed there as allowed.


I would like to be able to stop these false positives without turning the rogue DHCP detection off completely. Does anyone know of a way to do this? 

Kind of a big deal
Kind of a big deal

Are you sure DHCP (including relay) on the MX is completely disabled on that VLAN?

It doesn't usually falsely alert.

HI @Philip 


You can see a screen grab below:



Kind of a big deal
Kind of a big deal

Does the specified IP really match the IP address? I'd assume that something like teaming is in place that changes the MAC <-> IP binding.

Hi @CptnCrnch 


The DHCP server in question is a VM. Neither the VM or it's host server use NIC teaming. I've confirmed the IP and the MAC address in the alert corresponds to the same on the VM.

Kind of a big deal
Kind of a big deal

Sorry for the dumb question, but is this server listed as "Allowed"?

@CptnCrnch  there are no dumb questions 🙂


I did check this and the server is there with the correct IP, MAC address and hostname.I would post a screenshot but I'd have to redact half of it. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.