Re: IOS DHCP shows a lot of conflict, who sends the ARP reply?

seanxiao · ‎12-27-2023

Environment:

Cisco IOS Software, s2t54 Software (s2t54-ADVENTERPRISEK9-M), Version 15.5(1)SY10, RELEASE SOFTWARE (fc1)

cisco WS-C6506-E (M8572) x2 in vss mode.

I configured a DHCP server in the switch , configuration is below:

====

sw001#show run | section dhcp
ip dhcp pool Vlan404
network 10.80.4.0 255.255.255.0
next-server 10.80.131.17
default-router 10.80.4.1
dns-server 10.80.131.10 10.80.131.11
option 60 ascii "PXEClient"
lease 0 2
errdisable recovery cause dhcp-rate-limit
class-map match-all class-copp-dhcp-snooping
snmp-server enable traps dhcp-snooping bindings

====

this dhcp is only for a specific vlan 404, whose gateway (SVI) is also residing on this vss, configuration is as below:

====

sw001#show run interface vlan 404
Building configuration...

Current configuration : 169 bytes
!
interface Vlan404
description desc="10.80.4.10/24_core_intune_test"
ip address 10.80.4.1 255.255.255.0
no ip redirects
ip policy route-map RM_ORANGE_DEFROUTE
end

====

I trunked vlan 404 to one of our access switch, then connect a laptop for SCCM imaging to one swtchport of VLAN 404 on the acess switch. the connection is like laptop -> RJ45-to-Type C dongle ->switchport.

after the sccm imaging, laptop will go to Microsoft Autopilot task sequence with Internet access. I observed that the access switch will show interface up / down log but the laptop is powered on I can see it.

I can see lots of dhcp conflict using show ip dhcp conflict on the switch vss. following output is just a small part. Actually there is only 1 or 2 laptop alive simultaneously under vlan 404, if the IP conflict is detected by gratuitous ARP, who is the one sending ARP reply?

===

Please advise and thanks a lot.

MHM Cisco World · ‎12-27-2023

it can win have virus or SW using IP tracking

this effect the DHCP

balaji.bandi · ‎12-28-2023

what Access switch model and IOS code running ?

clear all the arp and try adding - ip arp gratuitous none

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ruben Cocheno · ‎12-28-2023

@seanxiao

If you have configured ip dhcp ping parameters (highly recommended), the router will ping the IP address it intends to allocate to a client before replying to the DHCP request. If the router receives ICMP Echo Reply message (response to ping), the address is obviously in use. If the DHCP conflict logging is enabled (default), the router will log the conflict with a syslog message (not in a separate log file) and put the address on the list of conflicts. The addresses on that list (displayed with show ip dhcp conflict) are not used in the future (similar to the addresses configured with the ip dhcp excluded-addresses command). To reuse a conflicting address, the network operator has to remove it from the list with the clear ip dhcp conflict address (or * for all addresses) command.

The DHCP conflict logging makes sense if the router uses persistent DHCP bindings (called DHCP database agents in Cisco IOS), otherwise any addresses allocated prior to a router reload would be reported as conflicts after the bindings are lost. If you don't use DHCP agents, it's thus best to turn off conflict logging with the no ip dhcp conflict logging configuration command. Even without conflict logging, there's no DHCP functionality loss and no chance of duplicate address allocation, as the router would still check whether an IP address is active before allocating it (and later on, it would be willing to re-check the conflicting IP address).

If you don't use DHCP database agents and you don't disable conflict logging (default setup), you'll have to clear the conflicts manually after a reload and you might potentially exhaust the DHCP pool because of a large number of blocked conflicting addresses.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

seanxiao · ‎12-28-2023

thanks. I've removed the DHCP server from cisco Switch. Use fortigate DHCP instead.

paul driver · ‎12-28-2023

Hello
Its possible dhcp is in a cycle of excluding ip allocation due to conflict logging being enabled ( meaning previous allocated ip addresses has been registered as conflicts (client GARP) are now are excluded from being reused. <-- sh ip dhcp pool

Core switch
no ip dhcp conflict logging < I dont see any reference to a database agent, as such disable this feature as it could eventually exhaust your dhcp pool(s) as above.

ip dhcp pool Vlan404
no next server < not required as the dhcp server is residing on the L3 device servicing the clients

on all L2 access switch(s) enable dhcp snooping
ip dhcp snooping
ip dhcp snooping vlan 404

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

seanxiao · ‎12-28-2023

thanks for the help.

next-server options is used for pxe boot.

I have removed DHCP server from cisco switch, and set it up on the fortigate firewall as the DHCP server. THanks.

paul driver · ‎12-28-2023

Hello
okay nw - but would suggest still to apply dhcp snooping at your access layer

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

seanxiao · ‎12-28-2023

great suggestion!