Solved

Strange VLAN / DHCP / IP Address issue....

Posted on 2006-11-14
8
308 Views
Last Modified: 2010-03-18
Ok, i'll do my best here to prevent tons of unecessary questions :)

ENVIRONMENT:
--------


DHCP Server
OS: Windows 2003 Server - Standard - R2
IP Address: 10.199.25.14


Scope 1: 10.199.28.0 / 24
Scope 2: 10.199.29.0 / 24
Scope 3: 10.199.30.0 / 24
Scope 4: 10.199.31.0 / 24
Scope 5: 10.199.32.0 / 24


DHCP Server is assigned to VLAN 100


-------


Distribution Switch: Catalyst 4506


VLAN 100 - 10.199.25.0 / 24 - Infrastructure Servers


VLAN 101 - 10.199.28.0 / 24 - Developer
VLAN 102 - 10.199.29.0 / 24 - QA
VLAN 103 - 10.199.30.0 / 24 - Operations
VLAN 104 - 10.199.31.0 / 24 - Tech Support
VLAN 105 - 10.199.32.0 / 24 - General Users


IP Helper Address: 10.199.25.14 (assigned to VLAN's 101-105)


----


Pretty straightforward ey? VLAN 100 is for all my infrastructure
servers. the remaining VLAN's handle all the users segments. All works
well. Desktops/Laptops get their appropriate IP address based on the
VLAN they are assigned to and the Scope that is associated with a
VLAN's subnet.


Now, here is where the problem crops up:


1. Laptop A in VLAN 101 currently has an IP address of 10.199.28.50.
All is well.


2. User has a meeting and takes Laptop A, shutdowns the OS. He walks up
to the 15th floor, plugs into another port that is assigned on VLAN 102
(10.199.29.0 / 24)


3. User boots up Laptop A, and it still get's his old IP address of
10.199.28.50 from VLAN 101.


4. I run an ipconfig /release. I get 0.0.0.0 (expected response)


5. I run an ipconfig /renew and I STILL GET 10.199.28.50 from VLAN 101,
although im plugged into a port that is assigned to VLAN 102
(10.199.29.0 / 24).


How is the Laptop able to get an IP address from a VLAN that is he is
not physically/logically connected? He is connected to VLAN 102
(10.199.29.0 / 24) but get's his old IP address from VLAN 101
(10.199.28.0 / 24). WTF?


The only way to force the laptop to get a valid IP that corresponds to
the current VLAN/subnet it's connected to, is to exclude it's old
address from the DHCP Server and then do an ipconfig /release  and
/renew. Only then is it forced to get a new IP address that corresponds
to it's current VLAN/subnet.


It looks like the DHCP requests are somehow spanning or being
broadcasted across multiple VLANs, thus it's getting to the DHCP server
and allowing it to give the laptop it's old IP address, although the
request came from a completely different VLAN/subnet than it's old IP
address. .


I have looked EVERYWHERE on the internet for similar issues, and while
I found a few similar posts, the issue always turned out to be
something like the person didn't have IP helper assigned properly or
the DHCP server was having issues, yada yada.


Any help is greatly appreciated as this problem is starting to become
an issue as users tend to move around the office quite frequently.


TIA!


-omar

0
Comment
Question by:jptech49
  • 4
8 Comments
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Odd. You could run up DHCPLOC.EXE from the resource kit on a machine on the same VLAN (not the dhcp server!) to watch the broadcasts and what is going on.  Also check the dhcp logs on the dhcp server.  It could be it is never actually hitting the dhcp server?

Steve
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Next silly question does that port really work on the other subnet OK...
0
 

Author Comment

by:jptech49
Comment Utility
yes, everything works on the ports in question.

but I think i figured out the issue. one thing I did not indicate is that the USER scopes are under a single SuperScope. I thought Superscopes were just a simple way to organize your scopes.

Apparently not.

By definition (from MS) a Superscope is used for multi-neting, and essentially tells the DHCP server that all scopes within the Superscope are part of the same "physical segment". Thus what I think is happening is that the DHCP server is ignoring the fact that the new client DHCP request is coming from a different VLAN/subnet. Since it's being told that VLAN 101 and VLAN 102 are part of the same "physical segment" then he is allowing the client to receive his old address even thought the request clearly came from a different VLAN.

I removed the superscope and doing some testing today to see if it's fixed.

-omar
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Ah well yes that wouldn't help... that's right.  Good luck then!  Superscopes are rarely needed IMHO, always best to keep it to normal scopes for your sanity.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Asker fixed the problem and explained why so PAQ, refund I suppose....
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now