1. Purpose
This SOP defines the standardized procedure to detect, isolate, and resolve incidents caused by a Rogue DHCP server within a restaurant network environment (example subnet: 172.16.31.0/24).
The objective is to restore correct IP assignment from the authorized gateway/DHCP server and prevent business disruption affecting POS, NVR (NBR), cameras, and back-office systems.
2. Scope
This procedure applies to:
POS terminals
Back-office PCs
IP cameras
NVR / NBR systems
Access switches
Authorized PC61 Router acting as DHCP server
All VLAN segments within the site
This document does not cover ISP WAN outages unrelated to DHCP misconfiguration.
3. Background – How DHCP Works in This Environment
In this topology:
The PC61 Router provides DHCP for subnet 172.16.31.0/24.
Clients (POS, cameras, NBR, PCs) connect via access switches.
DHCP process follows:
DHCP Discover →
DHCP Offer →
DHCP Request →
DHCP Acknowledgment
If an unauthorized device (e.g., misconfigured PC, small router, NVR, or test server) responds to DHCP Discover messages, clients may receive:
Incorrect subnet (e.g., 192.168.x.x instead of 172.16.31.x)
Incorrect gateway
Incorrect DNS
This results in routing failure despite physical connectivity being intact.
4. Problem Description
A Rogue DHCP incident occurs when an unauthorized device assigns IP addresses to network clients.
Typical Symptoms Reported
POS offline
Payments failing
NBR unreachable
Cameras not recording
Devices showing unexpected IP range (e.g., 192.168.244.x)
Technical Indicators
Client IP not in expected subnet (172.16.31.0/24)
Default gateway unreachable
Multiple DHCP Offers seen in packet capture
DHCP server MAC address not matching authorized router
Intermittent connectivity across VLAN
Severity: High (if POS/payment systems impacted)
5. Business Impact
If unresolved:
Payment transactions fail
POS synchronization stops
Camera/NBR recording disrupted
Guest network unstable
Revenue and compliance risk
Impact Level: High
6. Common Root Causes
Unauthorized small router connected to access port
NVR with DHCP enabled
Technician test device left connected
Misconfigured Wi-Fi extender
Default DHCP enabled on replacement hardware
No DHCP Snooping configured on switch
7. Detailed Troubleshooting Procedure
All troubleshooting must be performed from an affected client or test laptop connected to the same VLAN.
Step 1 – Verify Client IP Configuration
Run on CMD in windows device:
ipconfig /all
Check:
IPv4 address
Subnet mask
Default gateway
DHCP Server
Expected subnet: 172.16.31.0/24
If IP is outside expected subnet → Suspect Rogue DHCP
Step 2 – Capture DHCP Offer (If Needed)
Use packet capture from tools section and using bootp filter on wireshark:
Identify:
Source MAC of DHCP Offer
DHCP Server Identifier
Record MAC address.
Step 3 – Perform MAC OUI Lookup
Use internal AT command from tools section or public OUI database to determine:
Device vendor
Device type
Compare against authorized router MAC address.
If vendor mismatch → Rogue device confirmed.
Step 4 – Locate Rogue Device on Switch
Identify:
Switch port
VLAN
Interface
Trace physical cable to connected device.
Step 6 – Isolate Rogue Device
Options:
Physically disconnect device
Disable DHCP service on Rouge device
Confirm DHCP Offers stop.
8. Resolution Scenarios
Scenario A – Unauthorized Router
Remove Rouge router
Reboot affected clients
Scenario B – Technician Device
Disconnect device
Validate no further DHCP responses
9. Validation After Resolution
Perform the following checks:
Release/Renew IP:
Run the below command in CMD:
ipconfig /release
ipconfig /renew
Confirm:
IP in 172.16.31.x range
Correct default gateway
Correct DNS
Test:
Ping gateway
POS transaction test
Camera/NVR access
Internet browsing
Monitor for 10–15 minutes for additional DHCP Offers.
10. Preventive Measures
To prevent recurrence:
Enable DHCP Snooping on all access switches
Trust only uplink port toward router
Block DHCP replies on access ports
Implement VLAN segmentation
Apply port security (limit MAC addresses)
Document authorized DHCP server MAC address
Audit quarterly
11. Escalation Guidelines
Escalate to Network Engineering if:
Rogue MAC cannot be located
Multiple rogue sources detected
DHCP Snooping misconfiguration suspected
Issue impacts multiple VLANs
Provide:
Client IP configuration
Rogue DHCP server MAC address
Switch name and port
VLAN information
Packet capture (if available)
12. Quick Diagnostic Summary
If clients receive wrong IP:
Check IP subnet.
Verify DHCP server IP.
Capture DHCP Offer.
Perform MAC OUI lookup.
Trace MAC on switch.
Isolate rogue device.
Renew client IP.
Validate business services.

