Troubleshooting Rogue DHCP Servers
Click 日本語 for Japanese
Overview
Rogue Dynamic Host Configuration Protocol (DHCP) servers can disrupt any network. This article covers what a rogue DHCP server is and describes the Cisco Meraki features that help you find and locate the rogue device.
Rogue DHCP
DHCP automatically configures connection information for devices that do not have static IP assignments. Unless specifically configured to work together, multiple DHCP servers can cause clients and network devices to receive conflicting IP addresses, subnet masks, gateway IP addresses, and other network information. This conflict typically appears as groups of clients sporadically losing connection to the internet and other network resources.
This issue most often occurs when users incorrectly attach a device to the network that provides DHCP service, such as connecting a consumer router via a LAN port.
DHCP is a Layer 2 technology and is therefore limited to a single subnet in most cases. The most effective way to track down a rogue server is by its MAC address. Meraki devices provide tools that help you discover and locate the MAC address of a rogue DHCP server.
Troubleshooting rogue DHCP server issues
This section covers how each Cisco Meraki product can help you identify and locate a rogue DHCP server by establishing its MAC address and tracking down its physical location.
Possible causes
The following conditions can cause rogue DHCP server issues:
- Multiple DHCP servers are present on the same network segment without being configured to work together.
- A user incorrectly attaches a device to the network that provides DHCP service, such as connecting a consumer router via a LAN port.
- IP helper addresses (DHCP relay addresses) configured on the MX WAN appliance may cause false-positive "Multiple DHCP servers detected" events in the event log.
Troubleshooting steps
Use one or more of the following methods to identify and locate a rogue DHCP server.
Cisco Meraki MX WAN appliance
- Navigate to Network-Wide > Event Log in the Meraki dashboard.
- Review the event log for a "Multiple DHCP servers detected" message.
- Note the previous DHCP server's IP and MAC address, as well as the newly detected DHCP server's IP and MAC address combination.
MR access point
The access point logs rogue DHCP events only when it is configured to use DHCP, not a static IP address. Confirm this before proceeding.
- Navigate to the event log in the Meraki dashboard.
- Review events for any indication that the access point received responses from more than one DHCP server.
- Note the previous DHCP server's IP and MAC address, as well as the newly detected DHCP server's IP and MAC address.
- Select more >> under the Details column for the relevant event to view full information.

MS switch
- Navigate to Switch > Monitor > DHCP Servers & ARP in the Meraki dashboard.
- Review the list of all DHCP servers detected on the network.
- Examine the detailed information provided about the most recent DHCP acknowledgment to identify any unexpected servers.

For more information on the DHCP servers & ARP page, refer to MS DHCP Servers.
Client search by MAC address (all Cisco Meraki products)
- Navigate to Network-Wide > Monitor > Clients in the Meraki dashboard.
- Search for the rogue DHCP server using its MAC address or IP address.
- Review the results to find which device the rogue DHCP server is connected to, and identify the physical switch port.
- If the device attached to this port is an end node, that device is most likely the source of the rogue DHCP issue. If the device is not an end node, the source is isolated to that branch of the network and the investigation can continue from there.

Packet capture (all Cisco Meraki products)
- Open the packet capture tool in the Meraki dashboard. For instructions, refer to the packet capture tool documentation
- Apply the bootp filter in Wireshark to isolate DHCP packets.
- Review the capture output for a typical DHCP handshake between a client and the correct DHCP server.

- If a rogue DHCP server is affecting the network segment, multiple servers will appear responding to the DHCP Discover packet from the client.

- Identify the MAC address of the unexpected server responding to the DHCP Discover.
Note: If the MAC address of the legitimate DHCP server is unknown, obtain it from one of the following sources before proceeding:
- The interface of the DHCP server directly
- The interface of the DHCP relay, if the DHCP server is located on a separate broadcast domain
- Use the identified MAC address of the rogue DHCP server to locate the switch and port to which it is connected, then address that device.

