Solved: Re: Rogue DHCP source???

victoriabardy · ‎09-08-2025

I am seeng a very strange issue with one of our vlans on the switches. We source this particular vlan from the firewall and there is no sign of the ip subnet that is showing up on our core switch on the firewall. Our scope that should be assigned is 192.168.80.X but we keep getting 192.168.201.X and I can't locate the source or why this is happening all of a sudden? I did a debug of the dhcp and got the following output:

8 21:42:17.010: vendor-class-data-len 11
Sep 8 21:42:17.010: data: C9500-4XXXX
Sep 8 21:42:17.010: DHCP: SRequest: 351 bytes
Sep 8 21:42:17.010: DHCP: SRequest: 351 bytes
Sep 8 21:42:17.010: B'cast on Vlan800 interface from 0.0.0.0
Sep 8 21:42:17.010: DHCP: Received a BOOTREP pkt
Sep 8 21:42:17.010: DHCP: Scan: Message type: DHCP Offer
Sep 8 21:42:17.010: DHCP: Scan: Server ID Option: 192.168.80.2 = C0AXXXXX
Sep 8 21:42:17.010: DHCP: Scan: Lease Time: 43200
Sep 8 21:42:17.010: DHCP: Scan: Subnet Address Option: 255.255.252.0
Sep 8 21:42:17.010: DHCP: Scan: DNS Name Server Option: 8.8.8.8, 8.8.4.4
Sep 8 21:42:17.010: DHCP: Scan: Router Option: 192.168.80.1
Sep 8 21:42:17.010: DHCP: rcvd pkt source: 208.XXX.VV.XXX, destination: 255.255.255.255
Sep 8 21:42:17.010: UDP sport: 43, dport: 44, length: 308
Sep 8 21:42:17.010: DHCP op: 2, htype: 1, hlen: 6, hops: 0
Sep 8 21:42:17.010: DHCP server identifier: 192.168.80.2
Sep 8 21:42:17.010: xid: BE4AF4FC, secs: 0, flags: 8000
Sep 8 21:42:17.010: client: 0.0.0.0, your: 192.168.80.255
Sep 8 21:42:17.010: srvr: 0.0.0.0, gw: 0.0.0.0
Sep 8 21:42:17.010: options block length: 60

Sep 8 21:42:17.010: DHCP Offer Message Offered Address: 192.168.80.255
Sep 8 21:42:17.010: DHCP: Lease Seconds: 43200
Sep 8 21:42:17.010: DHCP: Server ID Option: 192.168.80.2
Sep 8 21:42:17.010: DHCP: offer received from 192.168.80.2
Sep 8 21:42:17.010: DHCP: offer received in bad state: Requesting punt
Sep 8 21:42:17.016: DHCP: Received a BOOTREP pkt
Sep 8 21:42:17.016: DHCP: Scan: Message type: DHCP Ack
Sep 8 21:42:17.016: DHCP: Scan: Server ID Option: 192.168.201.1 = C0X9XXX
Sep 8 21:42:17.016: DHCP: Scan: Lease Time: 3599
Sep 8 21:42:17.016: DHCP: Scan: Renewal time: 1799
Sep 8 21:42:17.016: DHCP: Scan: Rebind time: 3149
Sep 8 21:42:17.016: DHCP: Scan: Subnet Address Option: 255.255.255.0
Sep 8 21:42:17.016: DHCP: Scan: option 28 len 4 not importable
Sep 8 21:42:17.016: DHCP: Scan: Router Option: 192.168.201.1
Sep 8 21:42:17.016: DHCP: Scan: DNS Name Server Option: 192.168.201.1
Sep 8 21:42:17.016: DHCP: Scan: Vendor specific option 43: 414E44524F4944XXXXXXXXXXXXXXXXX
Sep 8 21:42:17.016: DHCP: rcvd pkt source: 192.168.201.1, destination: 255.255.255.255
Sep 8 21:42:17.016: UDP sport: 43, dport: 44, length: 318
Sep 8 21:42:17.016: DHCP op: 2, htype: 1, hlen: 6, hops: 0
Sep 8 21:42:17.016: DHCP server identifier: 192.168.201.1
Sep 8 21:42:17.016: xid: BE4AF4FC, secs: 0, flags: 8000
Sep 8 21:42:17.016: client: 0.0.0.0, your: 192.168.201.196
Sep 8 21:42:17.016: srvr: 192.168.201.1, gw: 0.0.0.0
Sep 8 21:42:17.016: options block length: 70

Sep 8 21:42:17.016: DHCP Ack Message
Sep 8 21:42:17.016: DHCP: Lease Seconds: 3599 Renewal secs: 1799 Rebind secs: 3149
Sep 8 21:42:17.016: DHCP: Server ID Option: 192.168.201.1
Sep 8 21:42:20.016: DHCP: Offered Address has no conflicts
Sep 8 21:42:20.017: DHCP: Releasing ipl options:
Sep 8 21:42:20.017: DHCP: Applying DHCP options:
Sep 8 21:42:20.017: Adding default route 192.168.201.1
Sep 8 21:42:21.017: Adding DNS server address 192.168.201.1
Sep 8 21:42:21.017: DHCPC: Notifying other components about option 43
Sep 8 21:42:21.017: %PNP-6-PNP_DHCP_NON_PNP_OPTION_NOTIFIED: DHCP non-PnP option (ANDROID_METERED) on interface (Vlan800) notified (1/3) by (pid=591, pname=DHCP Client, time=21:42:21 UTC Mon Sep 8 2025)
Sep 8 21:42:21.017: DHCP: Sending notification of ASSIGNMENT:
Sep 8 21:42:21.017: Address 192.168.201.196 mask 255.255.255.0
Sep 8 21:42:21.017: DHCP Client Pooling: ***Allocated IP address: 192.168.201.196
Sep 8 21:42:21.140: Allocated IP address = 192.168.201.196 255.255.255.0

Any ideas based on this output??

Please let me know.

Thank you.

victoriabardy · ‎09-09-2025

We figured it out. New equipment had been configured on Friday that must have dhcp function turned on. When I disabled the new equipment uplink ports the normal dhcp process was back. Thank you for the input here.

View solution in original post

MHM Cisco World · ‎09-08-2025

Can I see

Show ip interface breif

MHM

victoriabardy · ‎09-08-2025

Hi MHM Cisco World,

Here is that output:

NUSGDXXXRIWSW01#show ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up up
Vlan100 10.11.103.1 YES NVRAM up up
Vlan101 10.11.106.1 YES NVRAM up up
Vlan102 10.11.25.1 YES NVRAM up up
Vlan150 10.11.109.1 YES NVRAM up up
Vlan151 10.11.118.1 YES NVRAM up up
Vlan200 10.11.116.1 YES NVRAM up up
Vlan300 10.11.115.1 YES NVRAM up up
Vlan400 10.11.122.8 YES NVRAM up up
Vlan700 10.197.2.1 YES NVRAM down down
Vlan992 10.241.2.120 YES NVRAM up up
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
TwentyFiveGigE1/0/1 unassigned YES unset up up

There is no sign of a 192.168.201.X anywhere on the network until I try to pull an IP for this vlan.

victoriabardy · ‎09-09-2025

We figured it out. New equipment had been configured on Friday that must have dhcp function turned on. When I disabled the new equipment uplink ports the normal dhcp process was back. Thank you for the input here.

MHM Cisco World · ‎09-09-2025

You are so welcome

MHM

MHM Cisco World · ‎09-09-2025

Ok'

Port assign to these client which vlan?

Let say vlan100

Under vlan 100 there is any ip helper address?

Show ip interface breif dont show any link have IP x.x.201.x but it can this IP in FW' check this also

MHM