Cisco DHCP Server - Problem & Answer

Hi..
Currently i'm using Cisco distribution switch to distribute IP's to all pc's. The configuration attached below :

ip dhcp excluded-address 172.21.10.1 172.21.10.50
ip dhcp excluded-address 172.21.10.240 172.21.10.254

!
ip dhcp pool 10
network 172.21.10.0 255.255.255.0
default-router 172.21.10.254
dns-server 172.21.1.100
netbios-name-server 172.21.1.101
lease 30
!

When issuing command "sh ip dhcp binding" the output shown :

172.21.10.2 0100.13d3.3bc4.71 Mar 25 2010 06:56 AM Automatic
172.21.10.51 0100.14c2.c572.7a Mar 25 2010 07:26 AM Automatic
172.21.10.52 0100.237d.b70f.36 Mar 25 2010 07:28 AM Automatic
172.21.10.53 0014.38e5.c7fa Infinite Automatic
172.21.10.54 0100.2100.03d6.3f Mar 25 2010 07:31 AM Automatic
172.21.10.55 0100.14c2.cc74.03 Mar 25 2010 07:42 AM Automatic

My questions :

---

1- Why pc that using ip 172.21.10.53 lease time is infinite? Refer to the configuration, the lease time is set to 30 days only.

2- The default-router ip is 172.21.10.254. One of the user have set this ip manually to his pc. How to prevent it?

tq

1) Probably one of your client is using BOOTP instead of DHCP. I may disreagard BOOTP by issuing the following command "ip dhcp bootp ignore" but then the client won't get an IP anymore...

2) I don't know any way to prevent someone to "steal" an IP excepted by company policy, disabling access to network settings, (fire the employee for the example )...

1) Probably one of your client is using BOOTP instead of DHCP. I may disreagard BOOTP by issuing the following command "ip dhcp bootp ignore" but then the client won't get an IP anymore...

2) I don't know any way to prevent someone to "steal" an IP excepted by company policy, disabling access to network settings, (fire the employee for the example )...

1- How did the client is using BOOTP ? Is it been done at switch or client side?

2- He3...fire the employee is the best solution

1- How did the client is using BOOTP ? Is it been done at switch or client side?

The client choose the protocol it wants to use. Maybe an old server?

2- He3...fire the employee is the best solution

You could also kill him but it is less legal...

2- The default-router ip is 172.21.10.254. One of the user have set this ip manually to his pc. How to prevent it?

tq

I've never had this issue before but have you tried manually binding the IP to the server's MAC?

You can also lock down the user's privileges using a GPO in Active Directory to keep them from making any changes.

2- The default-router ip is 172.21.10.254. One of the user have set this ip manually to his pc. How to prevent it?

If his PC is Windows based, he probably also set his own static IP. You can't prevent this if he is a local administrator of his PC, you can if he is a limited user. Furthermore, I'm wondering what did he use for gateway IP other than yours, doing so, he would probably only have access to his local subnet!!

If your switch supports it, you can try to configure the IP Source Guard feature. This will automatically create an ACL that will filter traffic based on the source IP address. As far as I know, it can be configured to block IPs that were not issued by DHCP. More here:

www.cisco.com/en/US/docs/switches/lan/ca...hcp82.html#wp1284567