Document toolboxDocument toolbox

Rogue DHCP Server Checklist and Process

Owned by Viktoryia Varapayeva (Deactivated)
Last updated: Apr 15, 2022
2 min read

Configuration for the ACM Rogue DHCP Server Remediation task is straightforward.

  • Rogue DHCP remediation begins with preventing established, legitimate DHCP servers, such as NIOS appliances supporting the DHCP service, from being identified as a rogue server. You compile all legitimate DHCP servers on the network into the ACM Allowed DHCP Servers list (Config Management > Job Management > Lists);
  • Because the Rogue DHCP jobs are issue-driven, a suspected rogue device may first need to be detected by NetMRI. Ensure fingerprinting is enabled in the NetMRI system (Settings > Setup > Network Polling > Fingerprinting checkbox);
  • Also ensure that the required user accounts get the appropriate notifications when Rogue DHCP events occur. Consult the topic Defining a Job Notification for specific information.
  • NetMRI also scans the standard DHCP TCP and UDP ports (check settings in (Settings > Setup > Network Polling and enter "bootp" as the search string in the Port Scan List).
  • The NIOS administrator account username and password should be added to Advanced Settings (Settings icon> General Settings > Advanced Settings > page to the NIOS Administrator category).

To enable the NetMRI-to-NIOS communication, you also define the NIOS administrator User ID and password that NetMRI will use to check the configuration in NIOS. If this is not yet in place, see Creating a Single-Sign-On Admin Account.

Rogue DHCP Triggering Events

The following event causes the initial Rogue DHCP discovery process to start:

  • NetMRI detects a NIOS-generated DHCPACK Syslog message.

If this occurs, and ACM does not know the IP address/MAC address combination of the device from which the DHCP service advertisement originated, NetMRI executes discovery on the new device and executes a DHCP Service Test on the new entity.
If NetMRI discovers the new device on its own, it can happen in one of two ways:

  • The admin initiates a Discover Now session;
  • Automation Change Manager discovers the new device. In these cases, NetMRI immediately runs a DHCP Service Test.

If the DHCP service exists on the new device, and it is not in the ACM Allowed DHCP Servers list or a NIOS-sanctioned DHCP server, the new device is deemed rogue.
A new Rogue DHCP Server Detected Issue is fired by the Automation Change Manager.
Once this issue appears, the first of the two ACM Rogue DHCP Server jobs, Locate Rogue DHCP Server executes with no intervention by the admin.