Solved: Yes it will affect because it

Dean Romanelli · ‎08-31-2016

Hi All,

I have a 3750 switch with 2 DHCP servers configured on it below. "VOIP" and "Guest" work fine. I added a 3rd one, "Staff," last night, but no one on the "Staff" pool subnet is able to get an address (comes up with169.254's). What am I doing wrong below? Do 3750's only allow for 2 DHCP servers? Is it because I have 2 excluded ranges for the Staff pool while I only have 1 for the others? Or perhaps it is because the Staff vlan has a secondary IP address on it?

ip dhcp excluded-address 10.16.73.1 10.16.73.10
!
ip dhcp pool VOIP
   network 10.16.73.0 255.255.255.0
   default-router 10.16.73.1
   domain-name xxxxxxx.com
   dns-server 8.28.0.9 192.84.18.11
   option 42 ip 10.16.73.1
   lease infinite
!
interface Vlan21
description Voice Vlan
ip address 10.16.73.1 255.255.255.0
====================================================

ip dhcp excluded-address 10.155.201.1 10.155.201.20

ip dhcp pool Guest
   network 10.155.201.0 255.255.255.0
   default-router 10.155.201.1
   domain-name xxxxxxx.com
   dns-server 8.8.8.8 4.2.2.2
   option 42 ip 10.155.201.1

interface Vlan22
description Guest Vlan
ip address 10.155.201.1 255.255.255.0
=====================================================

ip dhcp excluded-address 192.168.201.1 192.168.201.75
ip dhcp excluded-address 192.168.201.233 192.168.201.254
!
ip dhcp pool Staff
   network 192.168.201.0 255.255.255.0
   default-router 192.168.201.15
   domain-name xxxxxx.corp
   dns-server 198.xxx.xxx.236 198.xxx.xxx.154
   option 42 ip 192.168.201.15

interface Vlan11
description Staff Vlan
ip address 10.16.200.15 255.255.252.0 secondary
ip address 192.168.201.15 255.255.255.0

Francesco Molino · ‎09-01-2016

Hi

Ok let me reply to all your question.

You can run debugs on your production if you filter your debugs. I mean Never run debug all. For sure when you run debug, it can affect cpu and memory but won't drop all traffic. You can activate multiple debug for troubleshooting but keep in mind to filter all your debugs
You don't need IP help-address.
The secondary IP will not impact

In your case, you have a lot of conflict because you have the dhcp ping feature enable and the switch found out that its dhcp ip have already been assigned.

You have several things you can do:

Activate a dhcp database locally on the switch or on a tftp. This will allow the switch to keep all ip distributed even after a reboot.
You can deactivate the logging of conflict
You have to clear all conflict in order to make it working back

Here are some good documentation:

http://blog.ipspace.net/2007/08/dhcp-conflict-logging-true-story.html

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swdhcp82.html#wp1329730

https://supportforums.cisco.com/discussion/11705491/3750-not-handing-out-ip-addresses

http://www.aubrett.com/InformationTechnology/RoutingandSwitching/Cisco/CiscoRouters/TFTPDHCPAgent.aspx

Hope this helps.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-31-2016

Hi

I don't see any miss configuration.

Your devices on vlan 11 are not getting any IP address?

The secondary ip doesn't matter with the pool dhcp. It matter only if you want to offer lease in the secondary subnet.

Could you do a "debug platform ip dhcp all" while you're connecting a device on van 11?

thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dean Romanelli · ‎09-01-2016

Hi,

Thanks for checking this out. I can run the debug command but I will have to set a maintenance window for it. Can you confirm that running only that debug command will not cause overhead to the point of making the switch unusable for the site? I've always been told running debug is dangerous on production devices.

If not, perhaps it is that my DHCP pool was exhausted. Though I have a pool of 155 addresses and the DHCP active leases only came in at 91 when I counted yesterday. Still, I've seen other posts where people have exhaustion even though their binding tables don't reflect that. Though when I moved the DHCP server off of the switch and back onto the ASA, everyone popped right up, so I doubt this was the issue.

Maybe I need to specify IP helper address on vlan 11 since it has 2 addresses? I find it coincidental that everything worked fine when I moved it back to the ASA, and the ASA doesn't know anything about the 10.16.200.X subnet, it only knows vlan 11 as being 192.168.201.X. Might be worth trying.

Only other thing I can think of is maybe the switch stack just needs to be reloaded. It has been up for 3 years at this point.

Dean Romanelli · ‎09-01-2016

Just took a look at the logs and found the below. Wondering if this has anything to do with it.

SW201RedwoodCore-EUC3750A-4X# show log | inc DHCPD
Aug 30 18:14:04.755: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.77.
Aug 30 18:15:02.578: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 10.155.201.22.
Aug 30 18:15:43.339: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.79.
Aug 30 18:17:53.406: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.82.
Aug 30 18:20:42.255: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.85.
Aug 30 18:20:43.261: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.86.
Aug 30 18:20:44.268: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.87.
Aug 30 18:20:45.275: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.88.
Aug 30 18:22:04.280: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.90.
Aug 30 18:23:23.847: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.92.
Aug 30 18:27:53.570: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.96.
Aug 30 18:27:56.565: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.97.
Aug 30 18:27:57.572: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.98.
Aug 30 18:32:46.496: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.102.
Aug 30 18:35:58.665: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.105.
Aug 30 18:47:10.821: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.113.
Aug 30 18:50:26.060: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.116.
Aug 30 19:03:19.844: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.125.
Aug 30 19:12:56.469: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.132.
Aug 30 19:16:13.772: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.135.
Aug 30 19:22:43.219: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.140.
Aug 30 19:22:44.225: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.141.
Aug 30 19:22:46.239: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.142.
Aug 30 19:29:18.579: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.147.
Aug 30 19:32:32.879: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.150.
Aug 30 19:32:33.894: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.151.
Aug 30 19:32:34.901: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.152.
Aug 30 19:35:48.068: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.155.
Aug 30 19:37:24.706: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.157.
Aug 30 19:40:38.486: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.160.
Aug 30 19:49:31.539: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.167.
Aug 30 19:49:32.554: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.168.
Aug 30 19:52:45.789: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.171.
Aug 30 19:52:46.795: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.172.
Aug 30 19:52:48.809: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.173.
Aug 30 19:52:56.778: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.174.
Aug 30 19:52:57.785: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.175.
Aug 30 19:52:58.791: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.176.
Aug 30 19:54:35.379: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.178.
Aug 30 19:54:36.386: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.179.
Aug 30 19:54:37.392: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.180.
Aug 30 19:56:14.962: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.182.
Aug 30 19:56:16.975: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.183.
Aug 30 20:07:37.502: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.191.
Aug 30 20:12:27.333: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.195.
Aug 30 20:12:29.346: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.196.
Aug 30 20:15:55.030: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.199.
Aug 30 20:20:46.807: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.203.
Aug 30 20:31:57.956: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.211.
Aug 30 20:33:34.569: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.213.
Aug 30 20:36:49.741: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.216.
Aug 30 20:38:25.331: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.218.
Aug 30 20:38:26.338: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.219.
Aug 30 20:46:27.331: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.225.
Aug 30 20:46:29.353: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.226.
Aug 30 20:46:38.329: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.227.
Aug 30 20:48:15.941: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.229.
Aug 30 20:48:16.947: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.230.
Aug 30 20:48:17.954: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.231.
Aug 30 20:48:18.961: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.232.
Aug 30 21:40:30.842: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 001b.4f01.22f3 declined 192.168.201.127.
Aug 31 06:20:09.618: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 10.155.201.27.
Aug 31 06:35:38.079: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.228.
Aug 31 06:35:39.086: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.76.
Aug 31 06:43:40.018: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.94.
Aug 31 07:39:49.269: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.198.
Aug 31 07:41:26.839: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.204.
Aug 31 07:53:36.381: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.93.
Aug 31 07:55:01.435: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.101.
Aug 31 07:56:39.936: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.111.
Aug 31 07:57:58.320: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 10.155.201.44.
Aug 31 08:41:39.496: %DHCPD-4-DECLINE_CONFLICT: DHCP address conflict: client 0160.9217.2bea.1d declined 10.155.201.66.
Aug 31 08:56:12.387: %DHCPD-4-PING_CONFLICT: DHCP address conflict: server pinged 192.168.201.190.

Francesco Molino · ‎09-01-2016

Hi

Ok let me reply to all your question.

You can run debugs on your production if you filter your debugs. I mean Never run debug all. For sure when you run debug, it can affect cpu and memory but won't drop all traffic. You can activate multiple debug for troubleshooting but keep in mind to filter all your debugs
You don't need IP help-address.
The secondary IP will not impact

In your case, you have a lot of conflict because you have the dhcp ping feature enable and the switch found out that its dhcp ip have already been assigned.

You have several things you can do:

Activate a dhcp database locally on the switch or on a tftp. This will allow the switch to keep all ip distributed even after a reboot.
You can deactivate the logging of conflict
You have to clear all conflict in order to make it working back

Here are some good documentation:

http://blog.ipspace.net/2007/08/dhcp-conflict-logging-true-story.html

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swdhcp82.html#wp1329730

https://supportforums.cisco.com/discussion/11705491/3750-not-handing-out-ip-addresses

http://www.aubrett.com/InformationTechnology/RoutingandSwitching/Cisco/CiscoRouters/TFTPDHCPAgent.aspx

Hope this helps.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dean Romanelli · ‎09-01-2016

Excellent, thanks very much for your help. I sent in my last reply (about my theory) before seeing you replied 10 minutes ago, sorry about that.

I will try disabling conflict logging and clear the conflict table and see if that resolves the problem.

Thanks again.

Dean Romanelli · ‎09-01-2016

Ok, so here's my theory. Not positive but it is the only thing that makes sense.

On the evening of August 30th, I changed the DHCP server for the staff subnet from my ASA to my 3750 core switch, in an effort to centralize all DHCP servers. On the ASA, the lease time was configured to 24 hours. I then disabled DHCP on the ASA and moved it to the 3750. However, all of those leases the ASA had already given out were still active, so clients had no reason to ask for a new address. This is why there was no impact when I initially moved it over to the 3750.

I told the 3750 the pool range for distribution was .75 - .233, same as when it was on the ASA. When the 3750 started giving out it's own leases, it would do it's ping checks before making the offer to make sure that the IP it wants to give out is not in use. However, when it received a reply to the address it wanted to give out, since it wasn't the DHCP server that originally gave it out, it just views it as a conflict, and moves it to the blacklist table.

Rinse and repeat this over and over and eventually we have an exhausted DHCP pool with a combination of the conflict table and the active leases, which explains why users were able to get addresses at first, but then were no longer able to do so.

Sounds like what I need to do is either A) Find a way to make all the client as for new leases once the DHCP server is moved, or B) Clear the conflict table, and then disable conflict logging. I think option B is more feasible.

Your thoughts are appreciated.

Francesco Molino · ‎09-01-2016

Yes option B is what you need to do. However, I will also configure a dhcp database to store all lease and not getting back this issue if the stack reboots and lease are still alive.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dean Romanelli · ‎09-01-2016

If conflict logging is disabled and the switch reboots, we shouldn't see that issue again even without the dhcp database being moved to flash though right?

Francesco Molino · ‎09-01-2016

If you remove the logging then in case the problem occurs again, you won't see anything until you issue the command sh ip dhcp conflict.

That's why I recommend to use also the dhcp database feature.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dean Romanelli · ‎09-01-2016

Ok, gotcha. So basically I need to issue dhcp database Flash:dhcp.txt

Will that be service affecting in any way to my existing DHCP instances that are running without a problem?

Francesco Molino · ‎09-01-2016

Yes it will affect because it will store all what it have in RAM into database

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

3rd DHCP instance not working on 3750 Switch