Skip to main content

Rouge DHCP Scenarios

R
Written by Rohit Yadav

1. Purpose

This SOP defines the standardized procedure to detect, isolate, and resolve incidents caused by a Rogue DHCP server within a restaurant network environment (example subnet: 172.16.31.0/24).

The objective is to restore correct IP assignment from the authorized gateway/DHCP server and prevent business disruption affecting POS, NVR (NBR), cameras, and back-office systems.

2. Scope

This procedure applies to:

  • POS terminals

  • Back-office PCs

  • IP cameras

  • NVR / NBR systems

  • Access switches

  • Authorized PC61 Router acting as DHCP server

  • All VLAN segments within the site

This document does not cover ISP WAN outages unrelated to DHCP misconfiguration.

3. Background – How DHCP Works in This Environment

In this topology:

  • The PC61 Router provides DHCP for subnet 172.16.31.0/24.

  • Clients (POS, cameras, NBR, PCs) connect via access switches.

  • DHCP process follows:

  • DHCP Discover →

  • DHCP Offer →

  • DHCP Request →

  • DHCP Acknowledgment

If an unauthorized device (e.g., misconfigured PC, small router, NVR, or test server) responds to DHCP Discover messages, clients may receive:

  • Incorrect subnet (e.g., 192.168.x.x instead of 172.16.31.x)

  • Incorrect gateway

  • Incorrect DNS

This results in routing failure despite physical connectivity being intact.

4. Problem Description

A Rogue DHCP incident occurs when an unauthorized device assigns IP addresses to network clients.

Typical Symptoms Reported

  • POS offline

  • Payments failing

  • NBR unreachable

  • Cameras not recording

  • Devices showing unexpected IP range (e.g., 192.168.244.x)

Technical Indicators

  • Client IP not in expected subnet (172.16.31.0/24)

  • Default gateway unreachable

  • Multiple DHCP Offers seen in packet capture

  • DHCP server MAC address not matching authorized router

  • Intermittent connectivity across VLAN

Severity: High (if POS/payment systems impacted)

5. Business Impact

If unresolved:

  • Payment transactions fail

  • POS synchronization stops

  • Camera/NBR recording disrupted

  • Guest network unstable

  • Revenue and compliance risk

Impact Level: High

6. Common Root Causes

  • Unauthorized small router connected to access port

  • NVR with DHCP enabled

  • Technician test device left connected

  • Misconfigured Wi-Fi extender

  • Default DHCP enabled on replacement hardware

  • No DHCP Snooping configured on switch

7. Detailed Troubleshooting Procedure

All troubleshooting must be performed from an affected client or test laptop connected to the same VLAN.

Step 1 – Verify Client IP Configuration

Run on CMD in windows device:

ipconfig /all

Check:

  • IPv4 address

  • Subnet mask

  • Default gateway

  • DHCP Server

Expected subnet: 172.16.31.0/24

If IP is outside expected subnet → Suspect Rogue DHCP

Step 2 – Capture DHCP Offer (If Needed)

Use packet capture from tools section and using bootp filter on wireshark:

Identify:

  • Source MAC of DHCP Offer

  • DHCP Server Identifier

Record MAC address.

Step 3 – Perform MAC OUI Lookup

Use internal AT command from tools section or public OUI database to determine:

  • Device vendor

  • Device type

Compare against authorized router MAC address.

If vendor mismatch → Rogue device confirmed.

Step 4 – Locate Rogue Device on Switch

Identify:

  • Switch port

  • VLAN

  • Interface

Trace physical cable to connected device.

Step 6 – Isolate Rogue Device

Options:

  • Physically disconnect device

  • Disable DHCP service on Rouge device


Confirm DHCP Offers stop.

8. Resolution Scenarios

Scenario A – Unauthorized Router

  • Remove Rouge router

  • Reboot affected clients

Scenario B – Technician Device

  • Disconnect device

  • Validate no further DHCP responses

9. Validation After Resolution

Perform the following checks:

  1. Release/Renew IP:

Run the below command in CMD:

ipconfig /release
ipconfig /renew

  1. Confirm:

    • IP in 172.16.31.x range

    • Correct default gateway

    • Correct DNS

  2. Test:

  • Ping gateway

  • POS transaction test

  • Camera/NVR access

  • Internet browsing

  1. Monitor for 10–15 minutes for additional DHCP Offers.

10. Preventive Measures

To prevent recurrence:

  • Enable DHCP Snooping on all access switches

  • Trust only uplink port toward router

  • Block DHCP replies on access ports

  • Implement VLAN segmentation

  • Apply port security (limit MAC addresses)

  • Document authorized DHCP server MAC address

  • Audit quarterly

11. Escalation Guidelines

Escalate to Network Engineering if:

  • Rogue MAC cannot be located

  • Multiple rogue sources detected

  • DHCP Snooping misconfiguration suspected

  • Issue impacts multiple VLANs

Provide:

  • Client IP configuration

  • Rogue DHCP server MAC address

  • Switch name and port

  • VLAN information

  • Packet capture (if available)

12. Quick Diagnostic Summary

If clients receive wrong IP:

  1. Check IP subnet.

  2. Verify DHCP server IP.

  3. Capture DHCP Offer.

  4. Perform MAC OUI lookup.

  5. Trace MAC on switch.

  6. Isolate rogue device.

  7. Renew client IP.

  8. Validate business services.

Did this answer your question?