jjohnsoncantell (6th June 2012)
Do you have more than one official DHCP Server in your domain? If yes, try reducing this to a single DHCP Server instance, or increase conflict detection to 2.
- View the ARP cache on the client machine with the bad address and copy the MAC of the default gateway. This is the MAC address of the rogue router.
- Console into your core switch and view the MAC table looking for the MAC you just wrote down. From here you can see what physical port it learned of the MAC from.
- View CDP neighbors to see which physical device is connected to that port and then telnet into that device and continue the search. Eventually you come to the last switch inline that has said rogue device jack into it.
- You should now be able to go to the closet, trace back the patch from the switch port to the patch panel and figure out the physical location.
This was done on Cisco hardware, but the principal should apply to other vendor's hardware.
i havent as yet gone to a workstation with a bad address since it was happening on so many pcs at once i had to keep the rest of the clients going. I have only one dhcp server so will look into that. Duke thats a great idea, if what i have done so far doesnt work this will be the next course of action i take.
Still no bad addresses since i disabled that routing bridge... Im hoping thats problem solved. Thankyou to everyone who replied, you were most helpful.
What I would do is capture the network traffic on your dhcp server with something like wireshark for about 10 mins and then import the file into capsa free edition and it will analyse the file for you.
If you can get the mac of the item you might be able to find what sort of nic it is.
Do you have dynamic updates on the dns set to secure.
Also do you have conflict detection set above 0 in dhcp. This pings the ip to see if the ip is being used before issuing it.
You could reduce the lease time in dhcp but you need to find the problem and capsa should help.
If this does not find it look at dns poisoning DNS spoofing - Wikipedia, the free encyclopedia
Plus is there another dhcp server on another machine. May be on a laptop.
There are currently 1 users browsing this thread. (0 members and 1 guests)