Courseiva
DHCPCCNA 200-301

Rogue DHCP Server Handing Out Wrong IPs on LAN

Presenting Symptom

Clients on VLAN 10 are receiving IP addresses in the 192.168.20.0/24 subnet instead of the expected 192.168.10.0/24, causing connectivity issues.

Network Context

A small branch office with a single Cisco Catalyst 2960 switch (IOS 15.0) and a Cisco ISR 4321 router acting as the DHCP server for VLAN 10 (192.168.10.0/24). An unauthorized consumer-grade router was connected to the switch, inadvertently providing DHCP services. The network has about 50 clients.

Diagnostic Steps

1

Check DHCP bindings on the legitimate DHCP server

show ip dhcp binding
Bindings from all scopes:
IP address      Client-ID/              Lease expiration        Type
                Hardware address
192.168.10.10   0063.6973.636f.2d63.     Mar 01 2025 12:00 PM    Automatic
                ...
192.168.20.5    0100.1a2b.3c4d.5e       Mar 01 2025 12:05 PM    Automatic

If you see IP addresses from the wrong subnet (192.168.20.0/24) in the bindings, it indicates that another DHCP server is assigning those addresses. The legitimate server should only have bindings for 192.168.10.0/24.

2

Identify the rogue DHCP server by checking the DHCP server identifier

show ip dhcp server statistics
Memory usage: 12345
Address pools: 1
Database agents: 0
Automatic bindings: 10
Manual bindings: 0
Expired bindings: 0
Malformed messages: 0
Message    Received
BOOTREQUEST: 0
DHCPDISCOVER: 15
DHCPREQUEST: 10
DHCPDECLINE: 0
DHCPRELEASE: 2
DHCPINFORM: 0
Message    Sent
BOOTREPLY: 0
DHCPOFFER: 15
DHCPACK: 10
DHCPNAK: 0

Compare the number of DHCPOFFERs and DHCPACKs sent by the legitimate server. If the legitimate server shows fewer offers than expected, the rogue server is handling many requests. Also, check the 'giaddr' field in debug output to locate the rogue server's IP.

3

Use debug to capture DHCP packets and identify the rogue server's IP

debug ip dhcp server events
DHCPD: DHCPDISCOVER received from client 0100.1a2b.3c4d.5e via Vlan10.
DHCPD: Sending DHCPOFFER to client 0100.1a2b.3c4d.5e (192.168.10.10).
DHCPD: DHCPREQUEST received from client 0100.1a2b.3c4d.5e.
DHCPD: Sending DHCPACK to client 0100.1a2b.3c4d.5e (192.168.10.10).
DHCPD: DHCPDISCOVER received from client 0100.5f6e.7a8b.9c via Vlan10.
DHCPD: Sending DHCPOFFER to client 0100.5f6e.7a8b.9c (192.168.20.5).
DHCPD: DHCPREQUEST received from client 0100.5f6e.7a8b.9c.
DHCPD: Sending DHCPACK to client 0100.5f6e.7a8b.9c (192.168.20.5).

If the legitimate server is sending offers for 192.168.20.0/24 addresses, it means the rogue server's IP is not being filtered. However, if the legitimate server only offers 192.168.10.0/24, then the rogue server is separate. To find the rogue server's IP, check the source IP of DHCPOFFERs in a packet capture.

4

Use a packet capture to locate the rogue DHCP server's IP address

monitor capture cap interface Vlan10 both match ip any any
Capturing on Vlan10:
... DHCPOFFER from 192.168.20.1 to 255.255.255.255 ...

The DHCPOFFER's source IP (192.168.20.1) reveals the rogue server's IP. This IP is not the legitimate server (which should be 192.168.10.1). The rogue server is likely a consumer router with IP 192.168.20.1.

Root Cause

An unauthorized consumer-grade router (IP 192.168.20.1) was connected to the switch and enabled its DHCP server, offering IPs from its default pool (192.168.20.0/24). Clients on VLAN 10 received offers from both the legitimate server and the rogue server, and some clients accepted the rogue server's offer due to faster response time.

Resolution

1. Disconnect the rogue router from the network. 2. On the switch, enable DHCP snooping to prevent unauthorized DHCP servers: ip dhcp snooping ip dhcp snooping vlan 10 interface GigabitEthernet0/1 ip dhcp snooping trust (Configure the port connecting to the legitimate DHCP server as trusted; all other ports are untrusted by default.) 3. Optionally, configure a static entry for the legitimate server on the switch: ip dhcp snooping binding 192.168.10.1 vlan 10 00:11:22:33:44:55 interface GigabitEthernet0/1

Verification

show ip dhcp snooping binding Expected output: MacAddress IpAddress Lease(sec) Type VLAN Interface 00:11:22:33:44:55 192.168.10.1 infinite static 10 GigabitEthernet0/1 show ip dhcp snooping Expected output: Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10 DHCP snooping is operational on following VLANs: 10 ... Also, verify that clients now receive IPs only from 192.168.10.0/24 by checking a client's IP configuration.

Prevention

1. Enable DHCP snooping on all access switches to block unauthorized DHCP servers. 2. Use port security to limit the number of MAC addresses per port and prevent unauthorized devices. 3. Implement 802.1X authentication to control which devices can connect to the network.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question where you must identify the cause of incorrect IP assignment. The exam tests your ability to use 'show ip dhcp binding', 'debug ip dhcp server events', and configure DHCP snooping. Key fact: DHCP snooping trusts only designated ports for DHCP server messages.

Exam Tips

1.

Remember that DHCP snooping must be enabled globally and per VLAN; only the port connecting to the legitimate DHCP server should be configured as trusted.

2.

The 'show ip dhcp binding' command shows only the bindings on the local server; if you see addresses from a different subnet, suspect a rogue server.

3.

In the exam, you may be asked to identify the rogue server's IP from a debug output or packet capture; look for the source IP of DHCPOFFER messages.

Commands Used in This Scenario

show ip dhcp binding

Displays the current DHCP binding table, showing which IP addresses have been leased to clients, along with their MAC addresses, lease expiration, and type of binding.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions