[c-nsp] DHCP Snooping and tracking down rogue dhcp servers

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 10 07:14:34 EDT 2016

On 09/06/16 20:53, Shawn L wrote:

> Sporadically for the past several months we've been receiving log errors
> that show that there is a rogue dhcp server on the network somewhere, but I
> can't seem to find it.  The log messages show the MAC address of the switch
> itself, not of the rogue dhcp server.

Downstream layer2 loop, switch seeing the packet it has just relayed out?

> I've even resorted to doing a wireshark packet capture, spanning one port
> at a time and looking for DHCP traffic to track it down, but it didn't
> yield any results.  From the log messages, it was definitely seeing the
> rogue dhcp server at the time we were performing the monitoring.

IME you've got to be a bit careful with SPAN for anything funky; it 
often does odd stuff with multicast packets, for example. I'm kind of 
surprised the SPAN didn't show you the DHCP packets though, never seen 
that, but if it really was the switch' own source mac, maybe that futzed 
the SPAN up.

Or the source MAC is wrong in the logs (logging bug, IOS, surely no...)

More information about the cisco-nsp mailing list