Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5770
Views
10
Helpful
8
Replies

Strange IPs in DHCP Binding Table

Go to solution
Emmanouil Patiniotakis
Level 1
Level 1

‎09-04-2012 02:30 AM - edited ‎03-07-2019 08:40 AM

Hello,

I have set up a dhcp server in a router for the wireless clients that exist in VLAN 10. I noticed that as soon as I set up the DHCP some strange "MACs" have been given IP (through the command sh ip dhcp bindings). After only a few minutes the pool was exhausted and no normal users can grant an IP address. The output from binding table is shown below:

10.4.216.52         01d8.b377.7b47.31       Sep 05 2012 11:19 AM    Automatic

10.4.216.53         013c.d0f8.5d8b.41       Sep 05 2012 11:18 AM    Automatic

10.4.216.54         010c.771a.2726.14       Sep 05 2012 11:15 AM    Automatic

10.4.216.55         0140.a6d9.42ab.47       Sep 05 2012 11:15 AM    Automatic

10.4.216.56         01e0.c97a.6934.51       Sep 05 2012 11:24 AM    Automatic

10.4.216.57         0160.334b.d0d9.66       Sep 05 2012 11:17 AM    Automatic

10.4.216.58         0100.c610.2f2c.0f       Sep 05 2012 11:18 AM    Automatic

10.4.216.59         8400.d23c.9228          Sep 05 2012 11:18 AM    Automatic

Only user with MAC 8400.d23c.9228 is a normal user. Does anyone have an idea what is the other "MACs" (there are not actually MAC because they have many bytes) and how I can stop them from exhausting the pool?

Best Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Emmanouil Patiniotakis

‎09-04-2012 07:11 AM

Hi,

these are not MAC addresses but client-identifiers made up of 01 prefix for media type=ethernet and then the mac address

of the host. Some devices like Windows hosts  use the client-identifier when requesting DHCP service while others use the MAC address. a search for OUI( first 24 bits of MAC address) will tell you the vendor id

eg: 

0100.c610.2f2c.0f     I've bolded the MAC address and the OUI 00-c6-10 is from Apple like all others except

01d8.b377.7b47.31  which is HTC. So all these devices are surely Smartphones/Tablets( even the one using MAC address is sony ericsson mobile.

You said they were not pingable but they may have left the facility, they may have been shut down or they may have no more IP due to very short lease time if not default in DHCP pool( 24 hrs).

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

8 Replies 8

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎09-04-2012 02:44 AM

HI Emmanouil,

Just go to

Router# terminal monitor

Router# debug ip dhcp server events

if it shows like this:

*Feb 29 11:29:06.168:  DHCPD: due to: POOL EXHAUSTED

then

So first off all lets go into EXEC mode:

Router # configure terminal

OK now you need to set the new lease time. Lets go into the existing pool:

R1(config)#ip dhcp pool

Right so you need to set the lease time to 4 or wtever u want hours. The configuration statement wyou need is 'lease' and the two timeout numbers are firstly in 'DAYS and then 'HOURS'. So wyou need '0days 4hours'

Router(dhcp-config)#lease 0 4

So then  check the new lease period is working or not!

1st Router#clear ip dhcp bind *

and Now lets check teh DEBUG, are you getting leases now?

it should something like this: DHCPD: Sending notification of ASSIGNMENT:

then u can see the binding table:

Router#  show ip dhcp bind

Hope it helps.

Regards

Please rate if it works.

0 Helpful

Go to solution
Emmanouil Patiniotakis
Level 1
Level 1

‎09-04-2012 02:54 AM

Thanks for your help. I will make the changes you suggested. But do you have any idea what are these strange addresses that exhaust the pool?

In addition to my previous post, the IPs that are assigned to these strange hardware addresses are NOT ping-able.

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Emmanouil Patiniotakis

‎09-04-2012 02:59 AM

Hi Emmi,

As per my knowledge.

Automatic bindings are IP addresses that have been automatically mapped to the MAC addresses of hosts that are found in the DHCP database.

Regards

Just Info*****Automatic binding information (such as lease expiration date and time, interface index, and VPN routing and forwarding [VRF] name) is stored on a database agent. The bindings are saved as text records for easy maintenance.

0 Helpful

Go to solution
Emmanouil Patiniotakis
Level 1
Level 1
In response to Emmanouil Patiniotakis

‎09-04-2012 03:46 AM

Is there any way with EEM to track the exhaustion event and run the command clear ip dhcp binding?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Emmanouil Patiniotakis

‎09-04-2012 07:11 AM

Hi,

these are not MAC addresses but client-identifiers made up of 01 prefix for media type=ethernet and then the mac address

of the host. Some devices like Windows hosts  use the client-identifier when requesting DHCP service while others use the MAC address. a search for OUI( first 24 bits of MAC address) will tell you the vendor id

eg: 

0100.c610.2f2c.0f     I've bolded the MAC address and the OUI 00-c6-10 is from Apple like all others except

01d8.b377.7b47.31  which is HTC. So all these devices are surely Smartphones/Tablets( even the one using MAC address is sony ericsson mobile.

You said they were not pingable but they may have left the facility, they may have been shut down or they may have no more IP due to very short lease time if not default in DHCP pool( 24 hrs).

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to cadet alain

‎09-04-2012 07:35 AM

Hello Alain,

these are not MAC addresses but client-identifiers made up of 01 prefix for media type=ethernet and then the mac address

Oh, this is interesting! I knew that the numbers displayed in the show ip dhcp binding are not MAC addresses but I did not know that the "01" prefix stands for Ethernet. Is there any document that describes this in more detail?

Thank you for sharing this info!

Best regards,

Peter

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Peter Paluch

‎09-04-2012 10:28 AM

Hi Peter,

http://tools.ietf.org/html/rfc2132

Best Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to cadet alain

‎09-04-2012 11:13 AM

Hi Alain,

Awesome! Thank you! And I thought I am the RFC guy here... Well, one never stops to learn

Best regards,

Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card