Roque DHCP Tshoot



Today I had a call that some PCs are getting wrong DNS addresses from DHCP.


Firstly, I checked the scopes and saw that the DNS servers’ addresses were correct.


After this I was sure that someone installed a roque DHCP server on the network.

 

Checking a PC I saw the below:

 

IP: 10.0.0.140           <--- Correct as the network add is 10.0.0.0/24

GW: 10.0.0.254        <---- Correct

DNS: 192.168.0.1     <--- This is wrong. It should be 10.10.10.100 and 10.10.10.101

 

The device is cisco router 4331.

I have created an ACL with 2 ACEs. I was actually matching BOOTP (DHCP) messages.


I also created a packet capture on the router and attached the ACL.


Exporting the capture, I found the below packet. (You can download it and open it with Wireshark)

Download Capture

Opening the capture, I found the ethernet source address


 

Tracing the specific mac address (show mac add | in d618) I found it on a switch port 1/0/21.


To resolve the issue, I had to shut the port. After this I informed the customer and resolve the ticket.

 

This is how I troubleshoot a roque DHCP issue today. Hope you find this information interesting. For any further information regarding commands etc please contact me on twitter. Contact me also if you faced this issue and how you found the solution.







Comments

Post a Comment

Popular posts from this blog

Upgrade WLC / Supplementary image

  Today I had to upgrade an AIROS cisco 2504 WLC. After checking if the APs are supported by the new recommended version I noticed that I had to install the supplementary image also. The reason was that 1602i APs wasn’t supported by the main image in 8.5.171.0 version. Due to image size cisco created separate file for some AP images called Supplementary AP Bundle image. Procedure:   Step 1:   Check the current WLC image (Cisco Controller) >show boot Primary Boot Image............................... 8.3.150.0 (default) (active) Backup Boot Image................................ 8.0.152.0 Step 2: Upload the new image ( AIR-CT2500-K9-8-5-171-0.aes ) I did the below procedure via HTTPS. Verify (Cisco Controller) >show boot Primary Boot Image............................... 8.5.171.0 (default) Backup Boot Image................................ 8.3.150.0 (active) Step 3: Check Supported APs of the new version (Cisco Controller) >show ap bundle primary Primary Version
Read more

Converting lightweigh to standalone AP and vice versa

Connect with console cable to the cisco AP Default credentials Username : cisco Password: Cisco You can find the AP image type by running the command show version When the AP image ends with k9w8 means the AP is lightweight When the AP image ends with k9w7 means the AP is Standalone AP7cad.74ff.975e> sho version Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JK2, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Wed 01-Apr-20 04:25 by prod_rel_team ROM: Bootstrap program is C3700 boot loader BOOTLDR: C3700 Boot Loader (AP3G2-BOOT-M) LoaderVersion 15.2(4)JB, RELEASE SOFTWARE (fc1) AP7cad.74ff.975e uptime is 5 minutes System returned to ROM by power-on System image file is "flash:/ap3g2- k9w8 -mx.153-3.JK2/ap3g2-k9w8-xx.153-3.JK2" Last reload reason: Reason Not Known To convert the AP from lightweight to standalone please follow the below pro
Read more

ISE Direct Upgrade URT

Run Upgrade Readiness Tool (URT) to validate config DB upgrade from 2.7,3.0,3.1 to 3.2. This is a signed bundle for image integrity (ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz) In this case i am running ise 3.1 patch 7 and will upgrade to 3.2 As we are running an HA the URT need to run on secondary admin node. Got the below error once i tried to run it on Primary Checking ISE persona ======================================================   - Failed (URT can only be run on Secondary Admin Node or Standalone % Application install or upgrade cancelled. ise03/admin# ====================================================== *Note When you need to run it on secondary note, you have to generate on secondary the key (crypto host_key add host 10.10.10.10) and then you can run the URT. Below is URT logging ise04/adMIN# application install ise-urtbundle-3.2.0.542a-1.0.0.SPA.x86_64.tar.gz  ""SFTP-SRV01"" Save the current ADE-OS running configuration? (yes/no) [yes] ? yes Gen
Read more