Unidentified device acting as a DHCP server

KYiin-ComputerMD
KYiin-ComputerMD used Ask the Experts™
on
Hello fellow Experts Exchange members:

I request assistance with a confounding problem.

I have an office that uses Cisco Meraki access points all connected to a Cisco SG300-52P switch.

The office uses a separate vendor for their VoIP phone system.

The event log on the Meraki cloud controller is filled with entries that read "Multiple DHCP servers detected."

The entries state that the second DHCP server has an IP address that is not on any of our equipment with a MAC address that identifies it as a Cisco device.

When I put a secondary IP address on one of our devices in the same subnet as the unidentified device, the unidentified device responds to pings.  Using telnet to connect on port 22 brings up the text "SSH-2.0-Cisco-1.25" but typing any character immediately results in "Connection to host lost."

The unidentified device does not respond on port 80 or 443.

Reviewing the MAC address tables on our Cisco switch, the MAC address of the unidentified device is seen on a port that is physically connected to the VoIP phone system vendor equipment.

(There are multiple MAC addresses listed in the MAC address table for this port besides the unidentified device.)

However, when troubleshooting with the VoIP phone system vendor, their technician reports they cannot detect the MAC address of the unidentified device on any of their equipment.

The first part of my question is if it is possible for a MAC address to appear on the MAC address tables in a Cisco switch for a particular port and yet be completely unknown to other devices connected to that port.

Also, I would like to know if any fellow Experts Exchange members have any advice on how to identify and locate the unidentified device in question if it is in fact connected to the VoIP phone system vendor equipment (which I do not have access to) and yet is not visible to them.

Sincerely,

Kahn
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sr. Network Engineer
Commented:
To your first question, potentially, depending on how the port is configured.

To your second question, the easiest thing to do is to turn on DHCP snooping and just kill the offers on all ports but the one your DHCP server is actually connected to.  The below link is for a 2960 but there will be documentation for whatever model switch you are using (assuming cisco).  

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swdhcp82.html#wp1058243

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial