ip-helper was configured on the VLAN interface on my switch.

I must configuer ip-helper also on the WLC ?

As shown in the image attached i have clients on the network 192.168.0.0 it's not my internal network.

So i would block the DHCP pirate and authorize my dhcp DHCP

on the switch WiFi no need to set up dhcp snooping because that only WiFi.

I just set up the ip-helper address on dynamic-interfaces on the WLC.

I notice there are client with IP address 0.0.0.0

I make a debug client :

(Cisco Controller) >*apfMsConnTask_3: Dec 05 10:55:17.610: dot1xcb = (nil) eapolReplayCounter = 0x42484e6a So returning from getEapolReplayCounter
*apfMsConnTask_0: Dec 05 10:55:20.988: dot1xcb = (nil) eapolReplayCounter = 0x41b6ce6a So returning from getEapolReplayCounter
*apfMsConnTask_3: Dec 05 10:55:29.228: dot1xcb = (nil) eapolReplayCounter = 0x42484e6a So returning from getEapolReplayCounter
*apfMsConnTask_1: Dec 05 10:55:35.557: dot1xcb = (nil) eapolReplayCounter = 0x41e74e6a So returning from getEapolReplayCounter
*apfMsConnTask_3: Dec 05 10:55:45.079: dot1xcb = (nil) eapolReplayCounter = 0x42484e6a So returning from getEapolReplayCounter
*apfMsConnTask_1: Dec 05 10:55:52.315: dot1xcb = (nil) eapolReplayCounter = 0x41e74e6a So returning from getEapolReplayCounter
*apfMsConnTask_4: Dec 05 10:56:11.695: dot1xcb = (nil) eapolReplayCounter = 0x4278ce6a So returning from getEapolReplayCounter
*apfMsConnTask_6: Dec 05 10:56:14.316: dot1xcb = (nil) eapolReplayCounter = 0x42d9ce6a So returning from getEapolReplayCounter
*apfMsConnTask_0: Dec 05 10:56:16.194: dot1xcb = (nil) eapolReplayCounter = 0x41b6ce6a So returning from getEapolReplayCounter
*apfMsConnTask_2: Dec 05 10:56:16.966: dot1xcb = (nil) eapolReplayCounter = 0x4217ce6a So returning from getEapolReplayCounter
*apfMsConnTask_0: Dec 05 10:56:17.461: dot1xcb = (nil) eapolReplayCounter = 0x41b6ce6a So returning from getEapolReplayCounter
*apfMsConnTask_0: Dec 05 10:56:46.083: dot1xcb = (nil) eapolReplayCounter = 0x41b6ce6a So returning from getEapolReplayCounter
*apfMsConnTask_6: Dec 05 10:56:50.746: dot1xcb = (nil) eapolReplayCounter = 0x42d9ce6a So returning from getEapolReplayCounter
*apfMsConnTask_0: Dec 05 10:57:27.302: dot1xcb = (nil) eapolReplayCounter = 0x41b6ce6a So returning from getEapolReplayCounter
*apfMsConnTask_1: Dec 05 10:57:37.841: dot1xcb = (nil) eapolReplayCounter = 0x41e74e6a So returning from getEapolReplayCounter
*apfMsConnTask_6: Dec 05 10:57:40.718: dot1xcb = (nil) eapolReplayCounter = 0x42d9ce6a So returning from getEapolReplayCounter
*apfMsConnTask_7: Dec 05 10:57:45.066: dot1xcb = (nil) eapolReplayCounter = 0x430a4e6a So returning from getEapolReplayCounter
*apfMsConnTask_3: Dec 05 10:57:58.369: dot1xcb = (nil) eapolReplayCounter = 0x42484e6a So returning from getEapolReplayCounter
*apfMsConnTask_7: Dec 05 10:58:28.558: dot1xcb = (nil) eapolReplayCounter = 0x430a4e6a So returning from getEapolReplayCounter
*apfMsConnTask_7: Dec 05 10:58:44.515: dot1xcb = (nil) eapolReplayCounter = 0x430a4e6a So returning from getEapolReplayCount

debug client : 

(Cisco Controller) >*dot1xMsgTask: Dec 05 13:45:10.344: GTK Rotation Kicked in for AP: 44:ad:d9:5f:3a:20 SlotId = 1 - (0x3adb3bf8)
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Reassociation received from mobile on BSSID 44:ad:d9:5f:3a:d0
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Global 200 Clients are allowed to AP radio

*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Max Client Trap Threshold: 0  cur: 1

*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Rf profile 600 Clients are allowed to AP wlan

*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 override for default ap group, marking intgrp NULL
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 321

*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Re-applying interface policy for client

*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 In processSsidIE:4850 setting Central switched to FALSE
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Applying site-specific Local Bridging override for station 78:9e:d0:22:5e:33 - vapId 1, site 'INDE', interface 'interface_resident'
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Applying Local Bridging Interface Policy for station 78:9e:d0:22:5e:33 - vlan 321, interface id 12, interface 'interface_resident'
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 override from ap group, removing intf group from mscb
*apfMsConnTask_5: Dec 05 13:45:14.401: 78:9e:d0:22:5e:33 Applying site-specific override for station 78:9e:d0:22:5e:33 - vapId 1, site 'INDE', interface 'interface_resident'
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 321

*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Re-applying interface policy for client

*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 processSsidIE  statusCode is 0 and status is 0
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 processSsidIE  ssid_done_flag is 0 finish_flag is 0
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 STA - rates (8): 2 4 11 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 suppRates  statusCode is 0 and gotSuppRatesElement is 1
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 STA - rates (12): 2 4 11 12 18 150 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 extSuppRates  statusCode is 0 and gotExtSuppRatesElement is 1
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [44:ad:d9:5f:39:00]
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Updated location for station old AP 44:ad:d9:5f:39:00-0, new AP 44:ad:d9:5f:3a:d0-0
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Updating AID for REAP AP Client 44:ad:d9:5f:3a:d0 - AID ===> 1
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Applied RADIUS override policy
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Central switch is FALSE
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Sending the Central Auth Info
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Central Auth Info Allocated PMKLen = 0

*apfMsConnTask_5: Dec 05 13:45:14.402: dot1xcb = (nil) eapolReplayCounter = 0x42a94e6a So returning from getEapolReplayCounter
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 EapolReplayCounter: 00 00 00 00 00 00 00 00
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 0
                                                                                                        apfMsEntryType = 0 apfMsEapType = 0
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Sending Local Switch flag = 0
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) DHCP Not required on AP 44:ad:d9:5f:3a:d0 vapId 1 apVapId 1for this client
*apfMsConnTask_5: Dec 05 13:45:14.402: 78:9e:d0:22:5e:33 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Plumbed mobile LWAPP rule on AP 44:ad:d9:5f:3a:d0 vapId 1 apVapId 1 flex-acl-name:
*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 0.0.0.0 RUN (20) Change state to RUN (20) last state RUN (20)

*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 78:9e:d0:22:5e:33 on AP 44:ad:d9:5f:3a:d0 from Associated to Associated

*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 apfPemAddUser2:session timeout forstation 78:9e:d0:22:5e:33 - Session Tout 15000, apfMsTimeOut '15000' and sessionTimerRunning flag is  0
*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 Scheduling deletion of Mobile Station:  (callerId: 49) in 15000 seconds
*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 Func: apfPemAddUser2, Ms Timeout = 15000, Session Timeout = 15000

*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 Sending Assoc Response to station on BSSID 44:ad:d9:5f:3a:d0 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_5: Dec 05 13:45:14.403: 78:9e:d0:22:5e:33 apfProcessAssocReq (apf_80211.c:8294) Changing state for mobile 78:9e:d0:22:5e:33 on AP 44:ad:d9:5f:3a:d0 from Associated to Associated

*spamApTask0: Dec 05 13:45:14.405: 78:9e:d0:22:5e:33 spamEncodeCentralAuthInoMsPayload: msAssocTypeFlagsMsb = 0 msAssocTypeFlagsLsb = 0
                                                                                                                                       apfMsEntryType = 0 pmkLen = 0
*apfMsConnTask_1: Dec 05 13:45:34.177: dot1xcb = (nil) eapolReplayCounter = 0x41e74e6a So returning from getEapolReplayCounter
*apfMsConnTask_1: Dec 05 13:45:51.853: dot1xcb = (nil) eapolReplayCounter = 0x41e74e6a So returning from getEapolReplayCounter
*apfMsConnTask_0: Dec 05 13:46:02.400: dot1xcb = (nil) eapolReplayCounter = 0x41b6ce6a So returning from getEapolReplayCounter
*dot1xMsgTask: Dec 05 13:46:16.160: GTK Rotation Kicked in for AP: 50:67:ae:30:e0:e0 SlotId = 0 - (0x3adb3bf8)
*apfMsConnTask_1: Dec 05 13:46:29.123: dot1xcb = (nil) eapolReplayCounter = 0x41e74e6a So returning from getEapolReplayCounter

pls attach these outputs to get an better idea how you configure it

WLC - show interface summary
WLC - show interface detailed vlan x <- vlan that map to SSID
WLC - show wlan <wlan_id> 
SW - show run interface vlan x
SW-  show run int gx/x <- WLC connected swtichport

HTH

Rasika

**** Pls rate all useful responses ****

(Cisco Controller) >show interface summary

 Number of Interfaces.......................... 4

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
interface_administratif          1    221      10.20.167.253   Dynamic No     No
interface_resident               1    321      10.30.167.253   Dynamic No     No
management                       1    20       10.253.21.4     Static  Yes    No
virtual                          N/A  N/A      1.1.1.1         Static  No     No

(Cisco Controller) >

(Cisco Controller) >show wlan 1

WLAN Identifier.................................. 1
Profile Name..................................... Wifi City
Network Name (SSID).............................. WifiCity
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
Number of Active Clients......................... 67
Exclusionlist.................................... Disabled
Session Timeout.................................. 15000 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 12 hours
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... Inde_WLC-2504_SS_04
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ interface_resident
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Disabled
mDNS Profile Name................................ unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0

--More-- or (q)uit
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1

--More-- or (q)uit
Radius Servers
   Authentication................................ Disabled
   Accounting.................................... Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Enabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Disabled
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Not Applicable
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel (Printers).......................... Disabled
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Enabled
Load Balancing................................... Client-Count Based
Multicast Buffer................................. Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status
 -------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority  Policy Name
--------  ---------------

(Cisco Controller) >show interface detailed interface_resident

Interface Name................................... interface_resident
MAC Address...................................... cc:d8:c1:40:cf:44
IP Address....................................... 10.30.167.253
IP Netmask....................................... 255.255.248.0
IP Gateway....................................... 10.30.167.254
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 321
Quarantine-vlan.................................. 0
NAS-Identifier................................... Inde_WLC-2504_SS_04
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 10.2.0.1
Secondary DHCP Server............................ 10.2.0.2
DHCP Option 82................................... Disabled
IPv4 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

interface Vlan321
 description Resident_Inde
 ip address 10.30.167.254 255.255.248.0
 ip access-group resident in
 ip helper-address 10.2.0.1
 ip helper-address 10.2.0.2
end

interface FastEthernet1/0/23
 description Controller_2504
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast trunk
end

ip access-list extended resident
 permit udp any host 255.255.255.255 eq bootps
 permit udp 10.30.0.0 0.1.255.255 host 10.2.0.1 eq bootps
 permit udp 10.30.0.0 0.1.255.255 host 10.2.0.2 eq bootps
 permit udp 10.30.0.0 0.1.255.255 host 10.2.0.1 eq domain
 permit udp 10.30.0.0 0.1.255.255 host 10.2.0.2 eq domain
 permit tcp 10.30.0.0 0.1.255.255 any eq 9100
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 192.168.0.0 0.0.255.255

deny   ip any 172.16.0.0 0.0.255.255
 deny   ip any 224.0.0.0 31.255.255.255
 deny   udp any eq netbios-ns any eq netbios-ns
 deny   udp any eq netbios-dgm any eq netbios-dgm
 deny   udp any any eq netbios-ss
 remark Infection virale 31/07/2012
 deny   udp any any eq 16464
 deny   udp any any eq 16470
 deny   udp any any eq 16471
 deny   udp any any eq 16475
 deny   udp any any eq 1900
 deny   tcp any any eq 445
 deny   tcp any any eq 139
 permit ip 10.30.0.0 0.1.255.255 any

not enable this option : 

The following errors occurred while updating the WLAN:
Invalid Configuration: DHCP required or Web Auth cannot be enabled if Learn Client IP Address is disabled

To enable the following option for it to work: 

Learn Client IP Address 

I think he must have a pirate DHCP server and the DHCP pirate is quicker to respond than my own DHCP server.

Invalid Configuration: DHCP required or Web Auth cannot be enabled if Learn Client IP Address is disabled

This is because of the following setting

FlexConnect Learn IP Address.................. Disabled

You can enable this & then tick the "DHCP address assignment" option. 

Note that wlan setting changes could disrupt client connectivity momentarily.

**** Pls do not forget to rate our responses if that is useful to you ****

HTH

Rasika

what is this option ?

FlexConnect Learn IP Address.................. Disabled

Always 192.168.0.0 and 0.0.0.0 on WLC

it should block the pirate DHCP and authorize my DHCP server

This should be under WLAN "Advanced" tab. Since it is disabled, you cannot tick the "DHCP Address Assignment" Option. That's what previously provided error message states.

Do you have "FlexConnect" mode AP deployed in your setup to use this WLAN ?

HTH

Rasika

option FlexConnect Learn IP Address and DHCP Address Assignment Required is enable but still 192.168.0.0 and 0.0.0.0

it should block the pirate DHCP and authorize my DHCP server

I'm coming remove client 192.168.0.0 and over client 192.168.0.0

if a rogue AP how to do to prohibit ? 

or make an ACL to prevent pirate DHCP

I'm coming remove client 192.168.0.0 and over client 192.168.0.0

Did not understand what you say here. Did you able to remove the client ? Did it reappear ?

if a rogue AP how to do to prohibit ? 

If it is Rogue AP, it should come from wired side & should not appear as a wireless client

Let me know

Rasika