Illegal dhcp (DHCP Snooping )

hi,
in my network , where there is a dhcp (i use dhcp relay on my layer 3 switch),
often someone connect a pc with a service of dhcp service active , and this produces a problem.
i read in cisco.com and i find the documentation about how to fix this problem.
DHCP Snooping is the solution.
The release on my cisco 6509 with msfc2 not support this feature.
WHAT DO YOU THINK ABOUT IT ?
HAVE YOU A LINK WITH AN EXAMPLE OF ALTERNATIVE METHODS?
Thanks
FC

my version are:
IOS (tm) MSFC2 Software (C6MSFC2-JSV-M), Version 12.1(11b)E4
in CAT OS
WS-C6509 Software, Version NmpSW: 7.6(8)
Step 1. (Permit DHCP response from host 1.2.3.4). "set security acl ip SERVER permit udp host 1.2.3.4 any eq 68"
Step 2. (Deny DHCP responses from any other host). "set security acl ip SERVER deny udp any any eq 68"
Step 3. (Permit other IP traffic). "set security acl ip SERVER permit any any"
Step 4.(Commit the VACL)."commit security acl SERVER"
Step 5.(Map the VACL to VLAN 10 for example). "set security acl map SERVER 10"
WHAT DO YOU THINK ABOUT MY CONFIGURATION?
Thanks
FC

Similar Messages

  • Ip source guard feature and dhcp DHCP scope exhaustion (client spoofs other clients)

    Hi everybody.
    A dhcp server assigns ip adress based on mac address carried by client hardware field in dhcp packets.
    One potential attack is when a rogue host mimics different mac addresses and causes dhcp server to assign the ip addresses until no ip address is left for legitimate host.
    For e.g a host h1 with mac1 has assigned ip address by dhcp server as:
    199.199.199.1 mac1
    Dhcp server has the above entry in its database.
    Using hacking tools such as Yersinia or Gobbler one can create a dhcp discover messages each time creating a different mac for client hardware field in dhcp server thereby causing a dhcp server to assign ip addresses because to dhcp server , these are legitimate dhcp discover messages with each carrying a different mac in client hardware addresses.
    You might say use dhcp snooping and it will prevent that (  dhcp scope exhaustion) and configure the switch to check if src mac matches the client hardware address in dhcp message. But still we can creat spoofed discover messages where src mac in ethernet header will match the client hardware address in dhcp discover message. We still did not overcome the problem.
    You might say use IP source guard feature but will it really prevent that problem from happening?
    Let me illustrate it :
    h1---------f1/1SW---------DHCP server
    Let say we have configured dhcp snooping on sw1 and f1/1 is untrusted port.  The switch has following dhcp binding
    199.199.199.1    mac1   vlan1  f1/1
    Next we configure ip source guard to  validate both src mac and src ip against the dhcp bindings  . When  we configures ip source guard first  , it will allow dhcp communication only so a host can request ip address and a dhcp binding can be built. After that ip source guard will validate src ip or src mac or both against the dhcp binding.depending upon how we configure ip source guard.
    In our case we have configured ip source guard to validate both src mac and src ip against the dhcp binding.
    A dhcp binding is already created as:
    199.199.199.1 mac1 vlan 1 f1/1
    Now using the hacking tools Yersinia or Gobbler on h1, we create our first spoofed dhcp discover message  where src mac=mac2 in ethernet header and  client harware address= mac2 in dhcp discover message. Since switch is configured with ip source guard feature and therefore allows dhcp discover message to pass through. Dhcp server upon receiving the dhcp message assigns another ip address from the pool. Now the dhcp server has following entries:
    199.199.199.1 mac1
    199.199.199.2 mac2.
    We can continue to craft spoofed dhcp discover messages as mentioned above and have dhcp server keep assigning ip addresses until the whole pool is exhausted.
    So my question is how does  ip source guard in conjuction with dhcp snooping prevent this particular attack from happening? ( i.e DHCP scope exhaustion)
    I really appreciate your input.
    thanks and have a great week.

    Thanks Karthikeyan.
    First of all, we gather all the information about the  locations of legitimate dhcp servers in our network. Once we have this information, we will configure the ports used to reach them as trusted. All the ports where end users will connect will be untrusted and therefore subject to dhcp snooping .
    it means if any of user connected in that switch/vlan runs a dhcp  services like vmware for eg. Snooping will prevent the dhcp/bootp  servers connected to that port will not be able to process.
    Yes that is correct. Because dhcp snooping feature will check these ports for the messages usually sent by dhcp server such as dhcp offer, etc. If the end user is running dhcp server using virtual machine, that port should be configured as trusted if it is dertermined  that end user is running a legitimate dhcp server using vm ware.
    When we have the dhcp snooping it prevents the 1st level of hacking  itself. I don't think so it will have any impact on dhcp address  releasing.
    I am sorry. You lost me here. What is 1 level of hacking?
    Dhcp snooping checks for dhcp messages such as dhcp release, dhcp decline.on untrusted port against the dhcp bindings.
    Here is why;
    h1---------SW1-------dhcp server
                   |
                 h2
    Let say we don't have dhcp snooping in above attack and  h2 is a legitimate user has already assigned ip address 199.199.199.2 by dhcp server. Thus the dhcp server has an entry:
    199.199.199.2 mac2
    Next we connect rogue user and it gets ip address 199.199.199.1 now the dhcp server has entries:
    199.199.199. 1  mac1
    199.199.199.2   mac2
    Now using hacking tools, h1 create a fake dhcp release message  with  199.199.199.199.2   mac2
    Dhcp server upon receiving this message, will release the ip address and returns it to the pool.
    By using DHCP snooping, switch will peer inside dhcp release message and checks against the binding. If there is conflict, it will drop the message.
    IFor e.g
    If have dhcp snooping configured , then switch will have adhcp binding as:
    199.199.199.1    mac1    vlan 1   f1/1  lease time
    199.199.199.2     mac2    vlan 2    f1/2 lease time.
    If h1 tries to send fake dhcp release with ip address 199.199.199.2    mac2
    Switch will check ip address 199.199.199.2  and mac2 against the binding related to f1/1 . Sw will find a conflict and therefore drops the dhcp release packet.
    Thanks

  • SG300 : erreurs de DHCP

    Bonjour,
    J'ai plusieurs switchs SG300-20 et SG300-10 en cascades avec une topologie qui ressemble à ceci :
    SW0 => SW2 : connexion par trois liens en LACP
    SW1 => SW2 : connexion par un seul lien
    SW3 => SW2 : connexion par trois liens en LACP
    SW4 => SW2 : connexion par un seul lien
    J'ai des PC connectés sur  tous les switchs.
    Mon serveur DHCP est connecté sur SW2. Le port est en trust et le DHCP snooping activé. Dans tous les switchs j'ai activé le relai DHCP avec l'adresse IP du serveur DHCP.
    Malheureusement, j'ai des erreurs qui arrivent sur SW2 :
    %DHCPSNOOP-E-HDRMAC: DHCP packet mac addresses verification problem - packet dropped: vlan - 20, port - Po2, mac source address - <ADRESSE_MAC_DE_SW0>, mac dest ad dress - <ADRESSE_MAC_DU_SERVEUR_DHCP>, hw client address - <ADRESSE_MAC_D_UN_POSTE_CLIENT>, error - DHCPSnP_packet_callback    
    J'ai donc plusieurs questions :
      - est-ce que quelqu'un sait d'où viennent ces erreurs ? Je les ai tous les jours
      - est-ce qu'il faut activer le relai DHCP sur tous les switchs ou seulement SW2 puisque le serveur DHCP est dessus ?
      - est-ce qu'il faut activer le relai DHCP + DHCP snooping comme je l'ai fait ?
    Je vous remercie d'avance.
    Bertrand

    Tom,
    Thanks ... I followed the steps you outlined and it worked!  The only difference being that I have an Asus RT-AC66U router and the there is no "enable multiple subnet" option.  So, I just followed your instructions on creating the static routes in the RT-AC66U and everything worked.  The DHCP addresses were correct and I had internet connectivity when I plugged a laptop into the gi8 port.
    I did make one tweak to the Network Pools screen as follows:
    My DHCP configuration for gi8 on VLAN 2 now looks like:
    ip dhcp server
    ip dhcp pool network InternalWAN
    address low 192.168.2.1 high 192.168.2.99 255.255.255.0
    lease infinite
    domain-name MYSTIC
    default-router 192.168.2.254
    dns-server 8.8.8.8
    Previously I had followed your advice in the article "Need help configuring SG300-10 switch" and had setup everything using CLI.  However, I didn't think about needing the static routes.  So, I think it was probably setup correctly beforehand but had no chance to work because the routes were not setup.
    Thanks very much for your help!
    Clint

  • Option code 66 and 67 in DHCP

    Hi Everybody,
    I am configuring DHCP for the option codes 66(TFTP server) and 67(Boot file), But when I snoop the DHCP requests, I am not sure if DHCP client is getting these options are not. Below is the snoop ouput. Can you please tell me whether client is getting these options or not.
    DHCP: ----- (Options) field options -----
    DHCP:
    DHCP: Message type = DHCPREQUEST
    DHCP: Requested IP Address = 10.0.6.70
    DHCP: IP Address Lease Time = -1 seconds
    DHCP: Maximum DHCP Message Size = 1472 bytes
    DHCP: Client Class Identifier = "SUNW.Sun-Fire-V240"
    DHCP: Requested Options:
    DHCP: 1 (Subnet Mask)
    DHCP: 3 (Router)
    DHCP: 6 (DNS Servers)
    DHCP: 12 (Client Hostname)
    DHCP: 15 (DNS Domain Name)
    DHCP: 28 (Broadcast Address)
    DHCP: 43 (Vendor Specific Options)
    DHCP: 66 (TFTP Server Name)
    DHCP: 67 (Option BootFile Name)
    DHCP: ----- (Options) field options -----
    DHCP:
    DHCP: Message type = DHCPACK
    DHCP: DHCP Server Identifier = 10.0.6.2
    DHCP: NIS Domainname = atrcus588.athtem.eei.ericsson.se
    DHCP: NIS Servers at = 10.0.6.2
    DHCP: DNS Domain Name = athtem.eei.ericsson.se
    DHCP: Broadcast Address = 10.0.6.127
    DHCP: Subnet Mask = 255.255.255.192
    DHCP: Router at = 10.0.6.65
    DHCP: IP Address Lease Time = -1 seconds
    DHCP: Client Hostname = atrcus629
    DHCP: Vendor-specific Options (157 total octets):
    DHCP: (07) 35 octets "/platform/sun4u/kernel/sparcv9/unix"
    DHCP: (12) 26 octets "/jumpstart/solaris10_image"
    DHCP: (11) 13 octets "masterservice"
    DHCP: (10) 04 octets 0x0A 0x00 0x06 0x02 (unprintable)
    DHCP: (04) 48 octets "/jumpstart/solaris10_image/Solaris_10/Tools/Boot"
    DHCP: (03) 13 octets "masterservice"
    DHCP: (02) 04 octets 0x0A 0x00 0x06 0x02 (unprintable)
    DHCP: Boot File Name = 010003BA875A61
    0: 0010 dbdd e3b5 0014 4f71 2d92 0800 4500 ........Oq-...E.
    16: 0218 d8eb 4000 ff11 0000 0a00 0602 0a00 ..\330.@...........
    32: 0641 0043 0043 0204 0000 0201 0600 46bd .A.C.C........F.
    48: 589f 0000 0000 0000 0000 0a00 0646 0a00 X............F..
    64: 0602 0a00 0641 0003 ba87 5a61 0000 0000 .....A....Za....
    80: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    96: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    112: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    128: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    144: 0000 0000 0000 3031 3030 3033 4241 3837 ......010003BA87
    160: 3541 3631 0000 0000 0000 0000 0000 0000 5A61............
    176: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    192: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    208: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    224: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    240: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    256: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    272: 0000 0000 0000 6382 5363 3501 0536 040a ......c.Sc5..6..
    288: 0006 0228 2061 7472 6375 7335 3838 2e61 ...( atrcus588.a
    304: 7468 7465 6d2e 6565 692e 6572 6963 7373 thtem.eei.ericss
    320: 6f6e 2e73 6529 040a 0006 020f 1661 7468 on.se).......ath
    336: 7465 6d2e 6565 692e 6572 6963 7373 6f6e tem.eei.ericsson
    352: 2e73 651c 040a 0006 7f01 04ff ffff c003 .se.............
    368: 040a 0006 4133 04ff ffff ff0c 0961 7472 ....A3.......atr
    384: 6375 7336 3239 2b9d 0723 2f70 6c61 7466 cus629+\235.#/platf
    400: 6f72 6d2f 7375 6e34 752f 6b65 726e 656c orm/sun4u/kernel
    416: 2f73 7061 7263 7639 2f75 6e69 780c 1a2f /sparcv9/unix../
    432: 6a75 6d70 7374 6172 742f 736f 6c61 7269 jumpstart/solari
    448: 7331 305f 696d 6167 650b 0d6d 6173 7465 s10_image..maste
    464: 7273 6572 7669 6365 0a04 0a00 0602 0430 rservice.......0
    480: 2f6a 756d 7073 7461 7274 2f73 6f6c 6172 /jumpstart/solar
    496: 6973 3130 5f69 6d61 6765 2f53 6f6c 6172 is10_image/Solar
    512: 6973 5f31 302f 546f 6f6c 732f 426f 6f74 is_10/Tools/Boot
    528: 030d 6d61 7374 6572 7365 7276 6963 6502 ..masterservice.
    544: 040a 0006 02ff ......
    Thanks Inadvance,
    Yogendra.

    Hi Everybody,
    I am configuring DHCP for the option codes 66(TFTP server) and 67(Boot file), But when I snoop the DHCP requests, I am not sure if DHCP client is getting these options are not. Below is the snoop ouput. Can you please tell me whether client is getting these options or not.
    DHCP: ----- (Options) field options -----
    DHCP:
    DHCP: Message type = DHCPREQUEST
    DHCP: Requested IP Address = 10.0.6.70
    DHCP: IP Address Lease Time = -1 seconds
    DHCP: Maximum DHCP Message Size = 1472 bytes
    DHCP: Client Class Identifier = "SUNW.Sun-Fire-V240"
    DHCP: Requested Options:
    DHCP: 1 (Subnet Mask)
    DHCP: 3 (Router)
    DHCP: 6 (DNS Servers)
    DHCP: 12 (Client Hostname)
    DHCP: 15 (DNS Domain Name)
    DHCP: 28 (Broadcast Address)
    DHCP: 43 (Vendor Specific Options)
    DHCP: 66 (TFTP Server Name)
    DHCP: 67 (Option BootFile Name)
    DHCP: ----- (Options) field options -----
    DHCP:
    DHCP: Message type = DHCPACK
    DHCP: DHCP Server Identifier = 10.0.6.2
    DHCP: NIS Domainname = atrcus588.athtem.eei.ericsson.se
    DHCP: NIS Servers at = 10.0.6.2
    DHCP: DNS Domain Name = athtem.eei.ericsson.se
    DHCP: Broadcast Address = 10.0.6.127
    DHCP: Subnet Mask = 255.255.255.192
    DHCP: Router at = 10.0.6.65
    DHCP: IP Address Lease Time = -1 seconds
    DHCP: Client Hostname = atrcus629
    DHCP: Vendor-specific Options (157 total octets):
    DHCP: (07) 35 octets "/platform/sun4u/kernel/sparcv9/unix"
    DHCP: (12) 26 octets "/jumpstart/solaris10_image"
    DHCP: (11) 13 octets "masterservice"
    DHCP: (10) 04 octets 0x0A 0x00 0x06 0x02 (unprintable)
    DHCP: (04) 48 octets "/jumpstart/solaris10_image/Solaris_10/Tools/Boot"
    DHCP: (03) 13 octets "masterservice"
    DHCP: (02) 04 octets 0x0A 0x00 0x06 0x02 (unprintable)
    DHCP: Boot File Name = 010003BA875A61
    0: 0010 dbdd e3b5 0014 4f71 2d92 0800 4500 ........Oq-...E.
    16: 0218 d8eb 4000 ff11 0000 0a00 0602 0a00 ..\330.@...........
    32: 0641 0043 0043 0204 0000 0201 0600 46bd .A.C.C........F.
    48: 589f 0000 0000 0000 0000 0a00 0646 0a00 X............F..
    64: 0602 0a00 0641 0003 ba87 5a61 0000 0000 .....A....Za....
    80: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    96: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    112: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    128: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    144: 0000 0000 0000 3031 3030 3033 4241 3837 ......010003BA87
    160: 3541 3631 0000 0000 0000 0000 0000 0000 5A61............
    176: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    192: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    208: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    224: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    240: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    256: 0000 0000 0000 0000 0000 0000 0000 0000 ................
    272: 0000 0000 0000 6382 5363 3501 0536 040a ......c.Sc5..6..
    288: 0006 0228 2061 7472 6375 7335 3838 2e61 ...( atrcus588.a
    304: 7468 7465 6d2e 6565 692e 6572 6963 7373 thtem.eei.ericss
    320: 6f6e 2e73 6529 040a 0006 020f 1661 7468 on.se).......ath
    336: 7465 6d2e 6565 692e 6572 6963 7373 6f6e tem.eei.ericsson
    352: 2e73 651c 040a 0006 7f01 04ff ffff c003 .se.............
    368: 040a 0006 4133 04ff ffff ff0c 0961 7472 ....A3.......atr
    384: 6375 7336 3239 2b9d 0723 2f70 6c61 7466 cus629+\235.#/platf
    400: 6f72 6d2f 7375 6e34 752f 6b65 726e 656c orm/sun4u/kernel
    416: 2f73 7061 7263 7639 2f75 6e69 780c 1a2f /sparcv9/unix../
    432: 6a75 6d70 7374 6172 742f 736f 6c61 7269 jumpstart/solari
    448: 7331 305f 696d 6167 650b 0d6d 6173 7465 s10_image..maste
    464: 7273 6572 7669 6365 0a04 0a00 0602 0430 rservice.......0
    480: 2f6a 756d 7073 7461 7274 2f73 6f6c 6172 /jumpstart/solar
    496: 6973 3130 5f69 6d61 6765 2f53 6f6c 6172 is10_image/Solar
    512: 6973 5f31 302f 546f 6f6c 732f 426f 6f74 is_10/Tools/Boot
    528: 030d 6d61 7374 6572 7365 7276 6963 6502 ..masterservice.
    544: 040a 0006 02ff ......
    Thanks Inadvance,
    Yogendra.

  • How do I set up my AEv5 using DHCP with a Netgear DG834Gv5?

    Hi,
    I've recently bought a MBPro and love it.
    I then bought an Airport Extreme to extend my available Wi-Fi distance and increase its speed. It's good, but it's not currently set up as I'd like it to be.
    My kit...
    Netgear DG834v5 Modem/Wireless Router
    Apple Airport Extreme v5
    Currently the AEv5 is set up in Bridge mode, with the wireless of the Netgear switched off completely. As I understand it, this makes the Netgear a wired modem, from which the AEv5 acts as the replacement (improved) Wi-Fi mast.
    I want to change the AEv5 from Bridge mode to DHCP/DHCP+NAT for the following reasons...
    - I can then set up a 'guest' wi-fi network.
    - I can then see a full list of the devices interacting with my Wi-Fi signal and block any potential intrusions.
    I don't know the implications of whether or not the AEv5 controlling the NAT is a good thing or not, so...
    - Can someone please explain the difference and benefits/drawbacks of the AEv5 controlling NAT as well as DHCP?
    I then need to know...
    - How I can turn off all DHCP/NAT/DHCP+NAT on the Netgear?
    - How I can set up the AEv5 to do the DHCP/NAT/DHCP+NAT itself?
    Any help would be greatly appreciated as I've spent hours searching the net already with no luck. I'm out of my depth and out of ideas; if someone knows anything that could help me it'd be great to hear it!
    Cheers!

    Can't help with Netgear, since I have not used the device that you have there, but can offer a few thoughts about the AirPort Extreme.
    Currently the AEv5 is set up in Bridge mode, with the wireless of the Netgear switched off completely. As I understand it, this makes the Netgear a wired modem, from which the AEv5 acts as the replacement (improved) Wi-Fi mast.
    Correct. This makes the Netgear a wired modem/router, since it is also configured to handle DHCP and NAT services for the network.
    - Can someone please explain the difference and benefits/drawbacks of the AEv5 controlling NAT as well as DHCP?
    If you want to enable the Guest Network, then the AirPort Extreme must be configured to provide DHCP and NAT services.
    If you open AirPort Utility on your Mac, click on the AirPort Extreme icon, click Edit, then click the Network tab at the top of the screen, you will see that the AirPort Extreme is currently configured in a Router Mode of Bridge Mode.....which is the correct setting for the AirPort Extreme with your Netgear modem/router.
    To make the AirPort Extreme provide DHCP and NAT service, you would change the setting for the Router Mode to DHCP and NAT.  But, do not do this....yet.
    The DHCP only setting on the AirPort cannot be used if you want to enable the Guest Network. This setting is rarely used, and would only be required if your Intenet Service Provider is furnishing you with a bank of fixed IP addresses....usually 4 or 5......to use for your connection and devices.
    - How I can turn off all DHCP/NAT/DHCP+NAT on the Netgear?
    Seems like that would be a question for Netgear support. It may....or may not....be possible to do this.
    Even if you do this, there will be no guarantees that this setting will work correctly with AirPort Extreme. 
    But, before you consider doing this, it would be good idea to check with your Internet Service Provider to make sure that they will support this type of configuration.
    I'm sure that you will agree that it would be of little value if you configured the Netgear device to turn off DHCP and NAT and function in Bridge Mode, and then had a connection issue....and your service provider refused to help you.
    Perhaps your service provider has a simple modem that they could offer to you. That would work with the AirPort Extreme and you would not have to worry about trying to configure the Netgear to do something that it was not likely designed to do.

  • How can I make DHCP Service automatically assign IP addresses?

    We decided on using OS X Server's DHCP service rather than depend on our router to dole out IPs. Here's the size and shape of our local subnet:
    Range: 192.168.0.0 to 192.168.7.255
    Mask: 255.255.248.0
    Router: 192.168.1.1
    DNS: ....etc...
    We're trying to have the DHCP block managed as 192.168.2.0 through 192.168.2.255. Maybe I'm missing something, but shouldn't DHCP automatiScally assign IPs in that range every time someone plugs in a computer? Right now we're having to enter MAC + IP static maps manually into Server Admin, which is a major pain. How can we fix that so it becomes automatic?
    Here's how DHCP service is set on our quad-Ethernet Xserve Xeon. en0 / en1 / en2 / en3 are all set up the same, but only en0 is checked:
    GENERAL:
    Subnet Name: Our LAN (en0)
    Starting IP Address: 192.168.2.0
    Ending IP Address: 192.168.2.255
    Subnet Mask: 255.255.248.0
    Network Interface: en0
    Router: 192.168.1.1
    Lease Time: 4 hours
    DNS Servers:
    192.168.1.100.... etc.
    Default Search Domain: ourdomain.private
    LDAP:
    Server Name: (blank)
    Search Base: (blank)
    Port: (Leave blank to use the default port)
    [ ] LDAP over SSL
    URL:
    WINS:
    WINS/NBNS Primary Server: 10.0.1.20
    WINS/NBNS Secondary Server: 10.0.1.21
    NBDD Server: 1.0.1.22
    NBT Node Type: Not Set
    NetBIOS Scope ID: (blank)
    I'm stuck.... I thought all I'd have to do is define a suitable range, like the 256 addresses in the middle of our DHCP block, but it's not enough. Your help is certainly appreciated.
    - Bert

    This morning I stumbled onto the solution (at least a partial solution). I noticed in /var/log/system.log that there were warnings to the effect of "Hey -- you've got disabled DHCP ports that have conflicting ranges with your enabled DHCP port." Previously, I hadn't thought this was a major error, but when I deleted the three disabled ports from DHCP (en1, en2, and en3) and restarted DHCP then everything started working correctly. Hosts that were previously not getting IP addresses assigned because they weren't listed in Static Maps are now getting addresses.
    The log entries looked basically like this:
    Apr 19 09:54:38 myserver servermgrd[50]: servermgr_dhcp:bootp config:Error:Subnets 'My LAN (en2)' and 'My LAN (en0)' have overlapping ranges: '1\
    92.168.2.0-192.168.2.255' overlaps '192.168.2.0-192.168.2.255'
    Apr 19 09:54:38 myserver servermgrd[50]: servermgr_dhcp:bootp config:Error:Subnets 'My LAN (en2)' and 'My LAN (en3)' have overlapping ranges: '1\
    92.168.2.0-192.168.2.255' overlaps '192.168.2.0-192.168.2.255' - 'My LAN (en3)' is not active
    Apr 19 09:54:38 myserver servermgrd[50]: servermgr_dhcp:bootp config:Error:Subnets 'My LAN (en2)' and 'My LAN (en1)' have overlapping ranges: '1\
    92.168.2.0-192.168.2.255' overlaps '192.168.2.0-192.168.2.255' - 'My LAN (en1)' is not active
    Apr 19 09:54:38 myserver servermgrd[50]: servermgr_dhcp:bootp config:Error:Subnets 'My LAN (en0)' and 'My LAN (en2)' have overlapping ranges: '1\
    92.168.2.0-192.168.2.255' overlaps '192.168.2.0-192.168.2.255' - 'My LAN (en2)' is not active
    Apr 19 09:54:38 myserver servermgrd[50]: servermgr_dhcp:bootp config:Error:Subnets 'My LAN (en0)' and 'My LAN (en3)' have overlapping ranges: '1\
    92.168.2.0-192.168.2.255' overlaps '192.168.2.0-192.168.2.255' - 'My LAN (en3)' is not active
    : and so on
    The next problem I need to work through is why there's huge amounts of DHCP-related traffic in the logs. It's clogging up with stuff like this:
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP DISCOVER [en3]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: replying to 192.168.2.44
    Apr 19 10:33:40 fannxfile bootpd[54475]: OFFER sent <no hostname> 192.168.2.44 pktsize 303
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000404 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP DISCOVER [en0]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: replying to 192.168.2.44
    Apr 19 10:33:40 fannxfile bootpd[54475]: OFFER sent <no hostname> 192.168.2.44 pktsize 303
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000385 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP DISCOVER [en1]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: replying to 192.168.2.44
    Apr 19 10:33:40 fannxfile bootpd[54475]: OFFER sent <no hostname> 192.168.2.44 pktsize 303
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000363 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en2]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: replying to 192.168.2.44
    Apr 19 10:33:40 fannxfile bootpd[54475]: ACK sent <no hostname> 192.168.2.44 pktsize 303
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000597 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en3]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000103 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en0]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000298 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en1]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000153 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en2]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000134 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en3]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000139 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en0]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000125 seconds
    Apr 19 10:33:40 fannxfile bootpd[54475]: DHCP REQUEST [en1]: 1,0:e:8:eb:47:90 <SipuraSPA>
    Apr 19 10:33:40 fannxfile bootpd[54475]: service time 0.000174 seconds
    This is happening REALLY fast. Every second there's a block of log entries like the above. I don't get it because I've set the lease times to 4 hours. I'll reset the leases back to 12 hours, but I don't understand what's causing the rapid fire log entries.
    Perhaps the smart thing to do at this point is to reboot the server.
    To answer some of your specific questions:
    Q: Have you tried specifying the range as 192.168.0.1 - 192.168.7.254 instead? Please don't take this the wrong way but is the service actually running?
    A: Yes, definitely up and running. Hosts that are in the static map were getting addresses. After deleting the three disabled Ethernet ports with conflicting ranges, I'm also seeing hosts that have not been entered into static maps appearing with dynamic IP addresses, which is what we wanted.
    Regarding the suggestion to set the network range to 192.168.0.1 - 192.168.7.254: That's the range the way it was originally set, but I thought what the range was supposed to be was the smaller block of addresses you wanted DHCP to draw from out of your total subnet. I may be wrong, but doesn't DHCP service already know your total network size from the network mask? [255.255.248.0 in our case] This implies that our subnet ranges from 192.168.0.0 to 192.168.7.255 (including base and broadcast addresses at both ends).
    My thought was that the "Starting IIP Address" and "Ending IP Address" wanted to be the range of addresses in that that I wanted to use as a pool for DHCP. Hence 192.168.2.0 through 192.168.2.255. We have devices with static IP addresses on our network (servers, printers, and our VoIP phone system, mostly) on 192.168.0.xxx, 192.168.1.xxx and 192.168.3.xxx, and if DHCP doubly assigns addresses in these ranges to our workstations, then we're in big trouble.
    Q: sudo serveradmin fullstatus dhcp
    A: ...that produces the following output now following deletion of the DHCP ports with conflicting ranges:
    fannxfile:log root# serveradmin fullstatus dhcp
    dhcp:setStateVersion = 1
    dhcp:servicePortsAreRestricted = "NO"
    dhcp:numConfiguredStaticMaps = 43
    dhcp:dhcpLeasesArray:arrayindex:0:timeLeft = 12201
    dhcp:dhcpLeasesArray:arrayindex:0:clientID = ""
    dhcp:dhcpLeasesArray:arrayindex:0:computerName = ""
    dhcp:dhcpLeasesArray:arrayindex:0:macAddress = "00:1b:63:17:a3:bd"
    dhcp:dhcpLeasesArray:arrayindex:0:ipAddress = "192.168.2.21"
    dhcp:dhcpLeasesArray:arrayindex:1:timeLeft = 12168
    dhcp:dhcpLeasesArray:arrayindex:1:clientID = ""
    dhcp:dhcpLeasesArray:arrayindex:1:computerName = ""
    dhcp:dhcpLeasesArray:arrayindex:1:macAddress = "00:1b:63:17:a3:bd"
    dhcp:dhcpLeasesArray:arrayindex:1:ipAddress = "192.168.2.9"
    dhcp:state = "RUNNING"
    dhcp:logPaths:systemLog = "/var/log/system.log"
    dhcp:backendVersion = "10.5"
    dhcp:timeOfModification = "2009-04-19 10:05:46 -0700"
    dhcp:numDHCPActiveClients = 2
    dhcp:numDHCPLeases = 2
    dhcp:timeOfSnapShot = "2009-04-19 10:43:09 -0700"
    dhcp:timeServiceStarted = "2009-04-19 10:05:46 -0700"
    dhcp:readWriteSettingsVersion = 1
    dhcp:servicePortsRestrictionInfo = emptyarray
    -- Bert Sierra

  • DHCP reservation & DNS for content filtering

    Hi All,
    I am working around with server 2008 for quite a while and facing a problem as below,
    1.DHCP reservation error
    Server Ip:192.168.0.254 (configured as DNS server for local use only with AD & DHCP)
    DHCP scope: 192.168.0.100 to 192.168.0.200 excluded 192.168.0.100 to 192.168.0.110
    earlier the same scope was 192.168.0.10 to 192.168.0.100. I was facing a error when I make a IP reservation against a MAC number error was " The unique identifier may not be correct do you want to use the identifier anyway" when I click yes "DHCP
    server received a message from a client that is not valid" and by this error I am not able to make any reservations now against MAC numbers.
    The same error was also on the earlier scope and that's why changed to a new scope but did not work. Any solutions will me much appreciated
    2.DNS fine tuning. 
    I have an open DNS account on which my WAN IP number is configured to do a content filtering. I have two LAN ports with the below IP number
    Local : 192.168.0.254 ( configured with no gateway and DNS as loopback (127.0.0.1)
    ISP: 192.168.0.253 (with ISP gateway and DNS as loop back adapter & open DNS)
    I have did a content filtering and things are working fine. But I got to open up some machines out of this content filtering and when I try to give the IP number in this below fashion.
    192.168.0.115
    255.255.255.0
    192.168.0.1
    DNS
    192.168.0.254
    ISP DNS to avoid filtering
    I find that 192.168.0.254 does the resolving and things are still filtered as per the schedule. Is there a way where we can configure 192.168.0.254 (Local DNS server) to stop resolving web requests and only cater to resolving local names for connectivity.
    I do know its too long but solutions for the same will be help me out to solve it. Thanks in advance.
    Regards,
    Vaschell

    Hello,
    I have found something strange on the DHCP reservation. When I try to add a MAC number out of the network its able to make out a reservation.
    Is there any way to clear the MAC number cache or something else which I can try.
    A copy of the ipconfig /all for the server is below,
    C:\Users\Administrator>ipconfig /all
    Windows IP Configuration
       Host Name . . . . . . . . . . . . : server
       Primary Dns Suffix  . . . . . . . : xyzabc.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : xyzabc.com
    Ethernet adapter LOCAL:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connectio
    #2
       Physical Address. . . . . . . . . : 00-1E-67-A4-F4-DC
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.254(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    Ethernet adapter ISP:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connectio
       Physical Address. . . . . . . . . : 00-1E-67-A4-F4-DB
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.253(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.0.1
       DNS Servers . . . . . . . . . . . : 127.0.0.1
                                           208.67.222.222
                                           208.67.220.220
       NetBIOS over Tcpip. . . . . . . . : Enabled
    PPP adapter RAS (Dial In) Interface:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : RAS (Dial In) Interface
       Physical Address. . . . . . . . . :
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.0.205(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled
    Tunnel adapter Local Area Connection* 8:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{0602F6CF-4B32-491F-994A-3C0952D
    B54}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Local Area Connection* 9:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : isatap.{6A14710B-A078-4AF9-BD7A-989767F
    377}
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Local Area Connection* 11:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    Tunnel adapter Local Area Connection* 12:
       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
    C:\Users\Administrator>
    Thanks,
    Vaschell

  • 5508 internal DHCP server

    Hi,
    A client wants us to use the internal DHCP server on a 5508 instead of Windows DHCP. They will have 15 APs initially and upto 25 later. The docs on the 7.2 WLC make it sound like this is discouraged:
    Internal DHCP ServerThe controllers contain an internal DHCP server. This server is typically used in branch offices that do not already have a DHCP server. The wireless network generally contains 10 access points or fewer, with the access points on the same IP subnet as the controller.
    In this case, the APs will not be in the same subnet as the Managment Internet.
    Is it a mistake to use the internal DHCP with upto 25 APs (3 WLANs)? 
    Thanks.

    #DHCP proxy needs to be enabled to use internal dhcp on WLC. WLC uses virtual ip for dhcp and they're unicast. So keeping the AP on L3 doesn't work with internal dhcp. dhcp for wireless client works due to the packets are sent to WLC via capwap.
    #The DHCP required state can cause traffic to not be forwarded properly if a client is deauthenticated or removed. To overcome this problem, ensure that the DHCP required state is always disabled.
    Ans: it is expected behavior irrespective of dhcp being internal or external, it is a feature and not disadvantage.
    Cons:-
    #can't have dhcp reservations.
    #can't have option 43 or any other dhcp options.
    #DHCP service can't be restarted, WLC reboot is required if needed to so.
    #If Multiple WLCs used, need to create non overlapping scope on other WLCs as well.
    #Wired clients cannot get ip from internal dhcp. So need to maintain separate network & dhcp server for wired network, and this require routing.
    #From WLC GUI, Can't remove the client, need to use cli.
    #WLC reboot may clear the dhcp lease, though not sure 100%

  • Mac Lion won't accept IP address sent from DHCP server

    Upgraded to Lion a few days ago.  Everything worked for a couple days.  Plug in the ethernet cable today and I never get an ip address with DHCP from my router.  I have 2 other devices plugged into the router and they get ip addresses normally.  Captured the DHCP communication to see if I was getting a valid DHCP offer and I am...it is included.  The Lion firewall is disabled.  For some reason Lion isn't accepting the DHCP offer.  Could this be a bug or maybe something in a cache needs to cleaned out.  I connect to several different networks daily and they all work except for this one.
    The line in Bold type shows the ip address being offered that never gets accepted by lion.
    No.     Time        Source                Destination           Protocol Info
         26 21.993141   10.19.39.97           255.255.255.255       DHCP     DHCP Offer    - Transaction ID 0x4e299603
    Frame 26 (353 bytes on wire, 353 bytes captured)
        Arrival Time: Aug  5, 2011 19:30:01.105566000
        [Time delta from previous captured frame: 0.001086000 seconds]
        [Time delta from previous displayed frame: 0.001086000 seconds]
        [Time since reference or first frame: 21.993141000 seconds]
        Frame Number: 26
        Frame Length: 353 bytes
        Capture Length: 353 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:bootp]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
        Destination: Broadcast (ff:ff:ff:ff:ff:ff)
            Address: Broadcast (ff:ff:ff:ff:ff:ff)
            .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
            .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
        Source: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
            Address: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.19.39.97 (10.19.39.97), Dst: 255.255.255.255 (255.255.255.255)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 339
        Identification: 0x00fa (250)
        Flags: 0x00
            0.. = Reserved bit: Not Set
            .0. = Don't fragment: Not Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 255
        Protocol: UDP (0x11)
        Header checksum: 0x882c [correct]
            [Good: True]
            [Bad : False]
        Source: 10.19.39.97 (10.19.39.97)
        Destination: 255.255.255.255 (255.255.255.255)
    User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
        Source port: bootps (67)
        Destination port: bootpc (68)
        Length: 319
        Checksum: 0x038d [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Bootstrap Protocol
        Message type: Boot Reply (2)
        Hardware type: Ethernet
        Hardware address length: 6
        Hops: 0
        Transaction ID: 0x4e299603
        Seconds elapsed: 0
        Bootp flags: 0x8000 (Broadcast)
            1... .... .... .... = Broadcast flag: Broadcast
            .000 0000 0000 0000 = Reserved flags: 0x0000
        Client IP address: 0.0.0.0 (0.0.0.0)
        Your (client) IP address: 10.19.39.98 (10.19.39.98)
        Next server IP address: 0.0.0.0 (0.0.0.0)
        Relay agent IP address: 0.0.0.0 (0.0.0.0)
        Client MAC address: Apple_17:fd:5d (c4:2c:03:17:fd:5d)
        Client hardware address padding: 00000000000000000000
        Server host name not given
        Boot file name not given
        Magic cookie: (OK)
        Option: (t=53,l=1) DHCP Message Type = DHCP Offer
            Option: (53) DHCP Message Type
            Length: 1
            Value: 02
        Option: (t=54,l=4) DHCP Server Identifier = 10.19.39.97
            Option: (54) DHCP Server Identifier
            Length: 4
            Value: 0A132761
        Option: (t=51,l=4) IP Address Lease Time = 1 day, 23 hours, 39 minutes, 50 seconds
            Option: (51) IP Address Lease Time
            Length: 4
            Value: 00029E46
        Option: (t=58,l=4) Renewal Time Value = 23 hours, 49 minutes, 55 seconds
            Option: (58) Renewal Time Value
            Length: 4
            Value: 00014F23
        Option: (t=59,l=4) Rebinding Time Value = 1 day, 17 hours, 42 minutes, 16 seconds
            Option: (59) Rebinding Time Value
            Length: 4
            Value: 00024A78
        Option: (t=1,l=4) Subnet Mask = 255.255.255.240
            Option: (1) Subnet Mask
            Length: 4
            Value: FFFFFFF0
        Option: (t=6,l=8) Domain Name Server
            Option: (6) Domain Name Server
            Length: 8
            Value: AB44E278AB46A8B7
            IP Address: 171.68.226.120
            IP Address: 171.70.168.183
        Option: (t=44,l=8) NetBIOS over TCP/IP Name Server
            Option: (44) NetBIOS over TCP/IP Name Server
            Length: 8
            Value: AB443935AD2573BF
            IP Address: 171.68.57.53
            IP Address: 173.37.115.191
        Option: (t=3,l=4) Router = 10.19.39.97
            Option: (3) Router
            Length: 4
            Value: 0A132761
        End Option

    I have seen the same issue with my iOS and Mac OS devices (iPhone and MacBook Pro). I have written my own DHCP server (http://notebook.kulchenko.com/embedded/dhcp-and-dns-servers-with-arduino) and have had troubles getting my devices to connect (Windows Vista and Ubuntu devices connect fine). I suspect that this problem happens because the DHCP Offer message is sent to a broadcast address, even though (at least in my case) the broadcast flag is off in the DHCP Discover message I see.
    Unfortunately you didn't include the Discover message, so I can't tell for sure, but if it indeed has the broadcast flag set to 0, then the server should send the response message using unicast as per DHCP spec (http://www.ietf.org/rfc/rfc2131.txt, section 4.1):
      If the broadcast bit is not set and 'giaddr' is zero and
       'ciaddr' is zero, then the server unicasts DHCPOFFER and DHCPACK
       messages to the client's hardware address and 'yiaddr' address.
    So, it seems like in this case the server may be at fault, even though it would be nice for Mac OS to accept broadcast responses (and would solve my problem too).
    Can someone confirm that Mac OS does not accept broadcast responses to DHCP Discover and DHCP Request messages? Thanks.
    Paul.

  • DHCP requests through ASA

    Hi ,
    I have ASA5585 in routed mode (Check the attached diagram) , and my DHCP client on the inside , while the DHCP server is on the outside.
    I know that ASA can be configured as a DHCP relay , but there is a condition
    “DHCP clients must be directly connected to the ASA and cannot send requests through another relay agent or a router”
    Is this means that the setup in the attached diagram cannot work ?
    Is there any other way to make it work , without changing the ASA to transparent mode?

    Hi,
    I think the text above refers to a situation where you are actually using the ASA to Relay DHCP messages.
    You couldnt therefore use the ASA to relay DHCP messages that were relayed by another device behind the ASA. Though I dont know why the DHCP messages would need to be relayed twice.
    But as we can see in this case the L3 Switch is the device that handles the relay of DHCP messages to the actual DHCP server and the ASA doesnt have to do anything related to DHCP other than pass the unicast UDP traffic. Therefore you wouldnt be confiuring any DHCP related settings on the ASA and the above quote/limitation wouldnt apply to your setup
    So it seems to me that you can leave out all the DHCP/DHCP relay configurations from the ASA and just allow the traffic originating from the L3 Switch
    I might be able to lab this for you at some point at my home network if needed (Though naturally with different ASA model). Though I think we have several environments at work already that use an ASA5585-X (multiple context mode) where the customer Router uses "ip helper-address" to relay DHCP messages to a DHCP server located on a DMZ inteface of the ASA context.
    - Jouni

  • How to set up both static and DHCP assigned addresses on an AirPort Extreme

    I recently bought an AirPort Extreme to replace my failed Cisco/Linksys router.
    I am having trouble figuring out how I can configure the Extreme to support the already static IP addresses on my network as well as assign IP addresses via DHCP to a few devices where static IPs are not supported, i.e., work laptop.
    Additionally, when DHCP is turned on, are my only options the 10.0, 172.16, and 192.168? What if I am running something like 10.10 or 172.30?
    I am far from green when setting up computer networks, but this AirPort Extreme is making me pull my hair out.
    BTW, I have access to a number of computers running a number of OSes including Windows XP, 7, and 8, as well as Mac OS X Snow Leopard and Mountain Lion.
    The Mountain Lion or Windows 7 machine would be the preferred ones to configure the Extreme. I already have the AirPort Utility software running on them.
    Any help would be appreciated.

    I have found the 'DHCP Reservations' option on the AirPort Extreme to be buggy.  I seem to remember it causing IP conflicts for some reason.  I think what I remember is that if the computer with the reservation was off, and the DHCP server then handed out that IP to another DHCP client, then there would be a conflict when the reserved IP computer was turned back on.  Maybe it was an issue in ealier versions of the AE or OS X as the case may be, and maybe it's been corrected, but I've never bothered using it agian since the method I describe below has always worked without fail.  Also, I'm guessing DHCP Reservations would work fine if one manually enters IPs outside of the DHCP range but in the AE 'DHCP Reservation Setup Assistant' the IP options provided are within the DHCP range which to me makes no sense and increases the potential for IP conflicts.
    Here's what I do to setup a mixed environment of static and dynamic IPs on my network.  It works like a charm and does not require the DHCP server (beyond the distribution of dynamic IPs to hosts using DHCP).
    For machines on my network that are accepting services from the public network, I set them up with static IPs using the 'Manually' option (System Preferences/Network/Ethernet/Configure IPv4).  The settings for 'Router' IP address and 'DNS Server' IP address should both be set with your gateway/router LAN IP).  Use an IP address below or above the DHCP range of adresses (in AE/Internet/DHCP/DHCP Beginning & Ending Address).
    i.e. if my subnet is 10.0.1.1 and my DHCP range is 10.0.1.100 to 10.0.1.150, you could set the static IPs on your local hosts as 10.0.1.x where x = any number from 2 - 99 or from 151 - 200 as an example.
    All other machines and devices that do not require static routing are setup as DHCP clients and get a dynamic IP from the AE.  To me it's a simpler setup though it might take a little extra time to setup initially.
    John

  • I give up! I need help to solve this problem.

    Just a heads up you will need coffee.
    Please this is driving me mad and I cannot solve it I really, really can't! So here it is in a nutshell because I'm done! With trying to solve this by myself because clearly I'm not getting it.
    So here is my understanding in short say 101 of networking put simply just as a base of understanding..... you get a IP from your ISP with a gateway IP in a subnet range and within that range you ARP to send from your IP to another IP in that range for the MAC (technically this MAC can still be the ISP gateway MAC and route by IP without knowing MAC for that other IP in your subnet but....works either way) and to send from your IP to an IP out side the subnet your in you send to the ISP gateway MAC where it will be routed.
    This is from windows 7 and when you ARP that MAC e6-1f-6d-6c-db-da is my ISP for all of 10. for all of 172.16. to 172.31. for all of 192.168. and 169.254. replys with that MAC every-single-one! From a request by ARP IP sender like 77.96.238.3 (if that was my IP) in 255.255.254.0 for them target IP's! (except the ones in the subnet of the subnet your in) The reply comes from my ISP gateway basically saying for sending to IP's in 10. for all of 172.16. to 172.31. for all of 192.168. and 169.254. is over where my ISP gateway IS! ITS NOT!
    C:\Windows\system32>arp -a
    Interface: 77.96.238.3 --- 0x13
    Internet Address    Physical Address      Type
    10.0.0.1                e6-1f-6d-6c-db-da      dynamic ]< NOT
    10.0.0.2                e6-1f-6d-6c-db-da      dynamic ]<-NOT
    10.0.0.3                e6-1f-6d-6c-db-da      dynamic ]<-NOT
    10.0.0.4                e6-1f-6d-6c-db-da      dynamic ]<-NOT
    77.96.238.1           e6-1f-6d-6c-db-da      dynamic      }-OK
    77.96.238.2           9d-d3-6d-4d-ad-c5      dynamic     }-OK
    77.96.238.4           20-8e-f2-0a-ef-c1      dynamic       }-OK
    77.96.238.5           4c-d3-3d-cd-7f-cd      dynamic      }-OK
    77.96.238.6           80-e5-2a-c4-7e-31      dynamic     }-OK
    77.96.239.0           0c-b0-5d-09-d5-01      dynamic     }-OK
    77.96.239.2           50-1f-33-4b-bd-05      dynamic      }-OK
    77.96.239.3           8c-b0-5d-15-d0-79      dynamic     }-OK
    77.96.239.4           1c-d3-6d-ea-5c-0d      dynamic     }-OK
    77.96.239.5           60-e5-2a-c8-94-59      dynamic     }-OK
    172.16.0.0           e6-1f-6d-6c-db-da      dynamic ]< NOT
    172.16.0.1           e6-1f-6d-6c-db-da      dynamic ]<-NOT
    172.16.0.2           e6-1f-6d-6c-db-da      dynamic ]<-NOT
    172.16.0.3           e6-1f-6d-6c-db-da      dynamic ]<-NOT
    192.168.0.0         e6-1f-6d-6c-db-da      dynamic ]<-NOT
    192.168.0.1         e6-1f-6d-6c-db-da      dynamic ]<-NOT
    192.168.0.2         e6-1f-6d-6c-db-da      dynamic ]<-NOT
    192.168.0.3         e6-1f-6d-6c-db-da      dynamic ]<-NOT
    224.0.0.22           01-00-5e-00-00-16     static
    224.0.0.252         01-00-5e-00-00-fc      static
    224.1.1.1             01-00-5e-01-01-01     static
    255.255.255.255   ff-ff-ff-ff-ff-ff                static
    The XP TCP/IP stack does not do this and you might think that my windows 7 has a problem it does not because the TCP/IP stack in windows 7 is a rebuild of what the TCP/IP stack was like in XP but whats done is done and that how the windows 7 TCP/IP stack is and that should be a eye opener as to why nothing has been done about this but thats just me saying that but its not really a TCP/IP stack problem. So is that my ISP problem? The answer is no because even if my ISP did not reply you still can send requests from a valid IP like 77.96.238.3 to your ISP a ARP with a target IP that does not and should not exist out to your ISP gateway like 192.168.0.1 yet you can.
    The simple fact is this there is no, none and nothing to make a ACL for ARP to drop the target/sender IP's for the 0806 Ethertype.
    And I have tried this Dynamic ARP Inspection with both DHCP Snooping/Relay and ARP Inspection in a two port VLAN on the right port for this Trusted Interface to be on and Enabled VLANs for ARP Inspection is set with ARP Inspection Status & ARP Packet Validation enabled and in DHCP Snooping/Relay with DHCP Snooping Status & Verify MAC Address enabled and VLAN set for DHCP Snooping. Does not stop this.
    Maybe just maybe if the DHCP Snooping looked at the Option 1 & 3 for the Subnet Mask & Router to know the range that the ARP Inspection can drop ARP for target IP's outside that range because like I said to send from your IP to an IP outside the subnet your in you send to the ISP gateway MAC where it will be routed only then would that Dynamic ARP Inspection work as I was hoping for but sadly no.
    So please tell me why I can't simply drop ARP for given target/sender IP's is their another way (and NAT is not a solution) that ideally makes ARP for from 77.96.238.3 as the sender for a request for a target IP of 10. for all of 172.16. to 172.31. for all of 192.168 and 169.254. NOT reach my ISP BUT allows ARP from 77.96.238.3 as the sender for a request for a target IP within the given subnet to my ISP for a reply.
    A million THANK YOU to anyone for helping me with this

    I really do not get why providing a config would help because if you have a config that does what I need should it not be you to provide a config or tell me how? Why not tell me how if you know how? because I need to understand how if you know what I need to do.
    But here is how its setup:
    Administration
    System Mode L3
    VLAN Management
    Default VLAN Settings 20
    GE1-GE7 and GE10 VLAN 20 Trunk Untagged with GE8-GE9 Forbidden
    GE8-GE9 VLAN 10 Trunk Untagged with GE1-GE7 and GE10 Forbidden
    IP Configuration
    IPv4 Interface VLAN 20 Static 192.168.1.254 255.255.255.0 Valid
    DHCP Snooping/Relay
    DHCP Snooping Status: Enable - ticked
    Verify MAC Address: Enable - ticked
    Interface Settings
    VLAN 10 DHCP with Snooping Enable - ticked
    DHCP Snooping Trusted Interfaces
    GE9 Trusted Interface Yes
    GE1-GE8 and GE10 Trusted Interface No
    ARP Inspection
    ARP Inspection Status: Enable - ticked
    ARP Packet Validation: Enable- ticked
    Interface Settings
    GE9 Trusted Interface Yes
    GE1-GE8 and GE10 Trusted Interface No
    VLAN Settings
    Enabled VLANs VLAN 10
    Access Control
    IPv4-Based ACL – note this is based on Ethertype 0800 it will not help me drop ARP which is Ethertype 0806 this really does not help it really does not but works for 0800 not for 0806 Ethertype.
    Dropsetin
    Dropsetintoout
    IPv4-Based ACE for Dropsetin
    Priority---------Action--Protocol------Source IP Address----------Destination IP Address
    100--------------Deny---Any (IP)------Any-----------Any --------------192.168.0.0--0.0.255.255
    101--------------Deny---Any (IP)------192.168.0.0--0.0.255.255-------Any----------Any
    102--------------Deny---Any (IP) -----Any------------Any--------------10.0.0.0-------0.255.255.255
    104--------------Deny---Any (IP)------Any------------Any--------------172.16.0.0----0.15.255.255
    105--------------Deny---Any (IP)------172.16.0.0----0.15.255.255----Any------------Any
    106--------------Deny---Any (IP)------Any------------Any--------------169.254.0.0---0.0.255.255
    107--------------Deny---Any (IP)------169.254.0.0---0.0.255.255-----Any------------Any
    2147483647---Permit--Any (IP) -----Any------------Any---------------Any-----------Any
    IPv4-Based ACE for Dropsetintoout
    Priority---------Action--Protocol------Source IP Address----------Destination IP Address
    100--------------Deny---Any (IP)------Any-----------Any --------------192.168.0.0--0.0.255.255
    101--------------Deny---Any (IP)------192.168.0.0--0.0.255.255-------Any----------Any
    102--------------Deny---Any (IP) -----Any------------Any--------------10.0.0.0-------0.255.255.255
    103--------------Deny---Any (IP) -----10.0.0.0-------0.255.255.255---Any------------Any
    104--------------Deny---Any (IP)------Any------------Any--------------172.16.0.0----0.15.255.255
    105--------------Deny---Any (IP)------172.16.0.0----0.15.255.255----Any------------Any
    106--------------Deny---Any (IP)------Any------------Any--------------169.254.0.0---0.0.255.255
    107--------------Deny---Any (IP)------169.254.0.0---0.0.255.255-----Any------------Any
    2147483647---Permit--Any (IP) -----Any------------Any---------------Any-----------Any
    ACL Binding for Dropsetin
    GE9
    ACL Binding for Dropsetintoout
    GE8
    And added a IPv6-Based ACL not that thiers any piont yet.
    And added rules for modem status Source IP 192.168.100.1 0.0.0.0 Source port 80 Dropsetin before 192.168.0.0 drop and Destination IP 192.168.100.1 0.0.0.0 Destination port 80 before 192.168.0.0 drop in Dropsetintoout 
    Message was edited by: Peter __

  • Solaris 10 connection to the internet

    Not sure if this is the same question as the post below (http://forum.java.sun.com/thread.jspa?threadID=5235282&tstart=0) But i thought i would ask anyway.
    I need to connect to the internet on a sun ultra 10 running solaris 10.
    The broadband box is a orange livebox - 3DF0 and the sun is connected to a Netgear 4 port ethernet hub. this comes of the livebox.
    I dont no where to start in setting it up.
    Thanks
    Dan

    Ok this is waht i get
    # ifconfig -aplumb
    usage: ifconfig illegal option -- p
    usage: ifconfig <interface> | -a [ 4 | 6 | D ][ u | d ][ z ]
    [ < addr_family>]
    [ <address>[/prefix_length] ] [<address>/prefix_length>] ]
    [ set ] <address>[]/<prefix_length>[ <address>/<prefix_length>] ]
    [ destination <dest_address> ]
    [ addif <address>[/<prefix_lengthL>] [ <dest_address> ] ]
    [ removeif <address>[/<prefix_length>] ]
    [ arp | - arp ]
    [ auto-revarp ]
    [ broadcast <broad_addr> ]
    [ index <if_index> ]
    [ metric <n> ] [ mtu <n> ]
    [ netmask <mask> ]
    [ plumb ] [ unplumb ]
    [ preferred | -preferred ]
    [ private | -private ]
    [ local | -local ]
    [ router | -router ]
    [ subnet <subnet_address>]
    [ trailers | -trailers ]
    [ token <address>/<prefix_length> ]
    [ tsrc <tunnel_src_address> ]
    [ tdst <tunnel_dest_address> ]
    [ auth_algs <tunnel_AH_authentication_algorithm> ]
    [ encr_algs <tunnel_ESP_encryption_algorithm> ]
    [ encr_auth_algs <tunnel_ESP_authentication_algorithm> ]
    [ up ] [ down ]
    [ xmit | -xmit ]
    [ modlist ]
    [ modinsert <module_name@position> ]
    [ modremove <module_name@position> ]
    [ group <groupname> | [ group "]
    [ deprecated | -deprecated ]
    [ standby | -standby ]
    [ failover | -failover ]
    [ zone <zonename> | -zone ]
    [ usesrc <interface> ]
    [ all-zones ]
    or
    ifconfig <interface> | -a[ 4 | 6 | D ] [ u | d ]
    auto-dhcp | dhcp
    [ wait <time> | forever ]
    [ primary ]
    start | drop | ping | release | status | inform
    # ifconfig -a
    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index
    1
    inet 127.0.0.1 netmask ff000000
    Thanks

  • How to find which port on the switch that it connected with Mac address?

    Hi,
    I am trying to find which port of the switches it connected to thru mac-address?
    I am able to get the mac-address from the ip address when i do
    "show ip dhcp binding snooping" at the core switch.
    But when I move on to the Edge switch to check which PC with this Mac address connected to the port,i returned with no result.(onli trunk port result)
    I use sh ip arp | inc 000d.60cb.445d
    but didn't give me which port it connected to.
    How to solve this problem?
    thanks!
    KL

    Hi KL,
    If you are already on the edge switch you can run a command "sh mac-address-table address " and it will give you the port number.
    Incase you get a port which is a trunk port that means the end device does not exist on this switch and exist on some downstream switch. So you can just find out the ip address of the downstream switch with "sh cdp neigh detail" command and connect to that downstream switch and then again issue the command "sh mac-address-table address " and check the port number and follow the above steps till the time you get the switch on whcih end host is connected.
    HTH, if yes please rate the post.
    Ankur

  • SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs

    Hi,
    after upgrading switch 2960 with latest ios release (c2960-lanbasek9-mz.150-2.SE5.bin) i have problem with DHCP snooping. These massage pop out:
    04264: Mar 25 21:53:09: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/17, vlan 8.([30f7.0dad.a5d9/10.11.8.29/0026.cb33.10ff/10.11.8.1/21:53:09 CET Tue Mar 25 2014])
    004265: Mar 25 21:53:11: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/20, vlan 8.([d48c.b527.f1ec/10.11.8.47/0026.cb33.10ff/10.11.8.1/21:53:10 CET Tue Mar 25 2014])
    004266: Mar 25 21:53:14: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/24, vlan 3.([c84c.75a9.8bee/10.11.3.6/0000.0000.0000/10.11.3.1/21:53:13 CET Tue Mar 25 2014])
    2960 switch is connected to distribution switch 4509, and i clear all mac address-table, arp table, clear ip dhcp binding, snooping everything (on boat access and distribution).... shutdown the port, reset switch but i am still receiving those messages.
    vlan 8 is voice vlan - cisco phones...
    Dhcp server is 4509 distribution switch...
    example - port config:
    interface FastEthernet0/20
     switchport access vlan 31
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 8
     switchport port-security maximum 3
     switchport port-security
     switchport port-security aging time 10
     switchport port-security violation restrict
     switchport port-security aging type inactivity
     ip arp inspection limit rate 50
     srr-queue bandwidth share 10 10 60 20
     priority-queue out 
     mls qos trust device cisco-phone
     mls qos trust cos
     auto qos voip cisco-phone 
     spanning-tree portfast
     spanning-tree bpduguard enable
     service-policy input AutoQoS-Police-CiscoPhone
    Now port is running in "ip arp inspection trust" so user can access network (but that is no solution)....
    So what else can I do, how to clear those DHCP_SNOOPING_DENY message?
    Regards,
    Ivan

    Just update with other IOS c2960-lanbasek9-mz.150-2.SE4.bin and everything work ok.
    Again upgrade to newest one c2960-lanbasek9-mz.150-2.SE5.bin gain same message appears.
     4264: Mar 25 21:53:09: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/17, vlan 8.([30f7.0dad.a5d9/10.11.8.29/0026.cb33.10ff/10.11.8.1/21:53:09 CET Tue Mar 25 2014])
    004265: Mar 25 21:53:11: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/20, vlan 8.([d48c.b527.f1ec/10.11.8.47/0026.cb33.10ff/10.11.8.1/21:53:10 CET Tue Mar 25 2014
    Upgrade to 150-2.SE4.bin and everything work ok...
    Strange :-)

Maybe you are looking for