Excluded IP address automatically increasing on Cat3750

submarine730 · ‎02-23-2012

Hi there,

I have encountered some weird issue on our Cat3750 running as DHCP Server.

I have exlucded 5 IP addresses only on the running configuration as below.

ip dhcp excluded-address 172.28.196.1 172.28.196.4

ip dhcp excluded-address 172.28.196.62

ip dhcp pool Wireless-business

network 172.28.196.0 255.255.255.192

default-router 172.28.196.1

dns-server 172.28.144.7 172.28.128.3

netbios-name-server 172.28.144.7 172.28.128.3

netbios-node-type h-node

However "show ip dhcp pool" is the below and users cannot get new IP addres assigned by this switch anymore.

Why is the number of excluded address 30 even though we set it as 5?

Pool Wireless-business :

Utilization mark (high/low) : 100 / 0

Subnet size (first/next) : 0 / 0

Total addresses : 62

Leased addresses : 32

Excluded addresses : 30

Pending event : none

1 subnet is currently in the pool :

Current index IP address range Leased/Excluded/Total

0.0.0.0 172.28.196.1 - 172.28.196.62 32 / 30 / 62

When I reset the configuration, then users can get new IP address but,

30 minutes later after I reset the configuration, we’ve got the below already. So soon the same issue will happen again.

Pool Wireless-business :

Utilization mark (high/low) : 100 / 0

Subnet size (first/next) : 0 / 0

Total addresses : 62

Leased addresses : 25

Excluded addresses : 26

Pending event : none

1 subnet is currently in the pool :

Current index IP address range Leased/Excluded/Total

172.28.196.50 172.28.196.1 - 172.28.196.62 25 / 26 / 62

Actually the below is the current result and users cannot get new IP address from the switch

Pool Wireless-business :

Utilization mark (high/low) : 100 / 0

Subnet size (first/next) : 0 / 0

Total addresses : 62

Leased addresses : 36

Excluded addresses : 26

Pending event : none

1 subnet is currently in the pool :

Current index IP address range Leased/Excluded/Total

0.0.0.0 172.28.196.1 - 172.28.196.62 36 / 26 / 62

IOS version is c3750-ipbasek9-mz.122-53.SE/c3750-ipbasek9-mz.122-53.SE.bin

Does anyone help us out of this issue?

nkarpysh · ‎02-27-2012

Hello,

You can possible have requests leaking between VLANs.

Check

show ip dhcp conflict

first.

If you see any ip in conflict DB, then clear this ip address and try the following:

run wireshark on the client and ran debug ip dhcp server packet, debug ip dhcp server

events, debug arp on the switch (DHCP server).

See iff client sends DHCP discover in one VLAN and switch gets that in different VLAN.

Quick check also can be proxy-arp disable.

Nik

HTH,
Niko

sbhadrav@cisco.com · ‎03-28-2018

If DHCP message is a message that is received from outside the network or firewall. When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer's switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks.

The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface.

In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network.

When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.

The switch drops a DHCP packet when one of these situations occurs:

•A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.

•A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.

•The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.

•A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.

When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.