Unidentified device acting as a DHCP server

Hello fellow Experts Exchange members:

I request assistance with a confounding problem.

I have an office that uses Cisco Meraki access points all connected to a Cisco SG300-52P switch.

The office uses a separate vendor for their VoIP phone system.

The event log on the Meraki cloud controller is filled with entries that read "Multiple DHCP servers detected."

The entries state that the second DHCP server has an IP address that is not on any of our equipment with a MAC address that identifies it as a Cisco device.

When I put a secondary IP address on one of our devices in the same subnet as the unidentified device, the unidentified device responds to pings.  Using telnet to connect on port 22 brings up the text "SSH-2.0-Cisco-1.25" but typing any character immediately results in "Connection to host lost."

The unidentified device does not respond on port 80 or 443.

Reviewing the MAC address tables on our Cisco switch, the MAC address of the unidentified device is seen on a port that is physically connected to the VoIP phone system vendor equipment.

(There are multiple MAC addresses listed in the MAC address table for this port besides the unidentified device.)

However, when troubleshooting with the VoIP phone system vendor, their technician reports they cannot detect the MAC address of the unidentified device on any of their equipment.

The first part of my question is if it is possible for a MAC address to appear on the MAC address tables in a Cisco switch for a particular port and yet be completely unknown to other devices connected to that port.

Also, I would like to know if any fellow Experts Exchange members have any advice on how to identify and locate the unidentified device in question if it is in fact connected to the VoIP phone system vendor equipment (which I do not have access to) and yet is not visible to them.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
To your first question, potentially, depending on how the port is configured.

To your second question, the easiest thing to do is to turn on DHCP snooping and just kill the offers on all ports but the one your DHCP server is actually connected to.  The below link is for a 2960 but there will be documentation for whatever model switch you are using (assuming cisco).  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.