Strange VLAN / DHCP / IP issue...

Ok, i'll do my best here to prevent tons of unecessary questions

ENVIRONMENT:
--------

DHCP Server
OS: Windows 2003 Server - Standard - R2
IP Address: 10.199.25.14

Scope 1: 10.199.28.0 / 24
Scope 2: 10.199.29.0 / 24
Scope 3: 10.199.30.0 / 24
Scope 4: 10.199.31.0 / 24
Scope 5: 10.199.32.0 / 24

DHCP Server is assigned to VLAN 100

-------

Distribution Switch: Catalyst 4506

VLAN 100 - 10.199.25.0 / 24 - Infrastructure Servers

VLAN 101 - 10.199.28.0 / 24 - Developer
VLAN 102 - 10.199.29.0 / 24 - QA
VLAN 103 - 10.199.30.0 / 24 - Operations
VLAN 104 - 10.199.31.0 / 24 - Tech Support
VLAN 105 - 10.199.32.0 / 24 - General Users

IP Helper Address: 10.199.25.14 (assigned to VLAN's 101-105)

----

Pretty straightforward ey? VLAN 100 is for all my infrastructure
servers. the remaining VLAN's handle all the users segments. All works
well. Desktops/Laptops get their appropriate IP address based on the
VLAN they are assigned to and the Scope that is associated with a
VLAN's subnet.


Now, here is where the problem crops up:

1. Laptop A in VLAN 101 currently has an IP address of 10.199.28.50.
All is well.

2. User has a meeting and takes Laptop A, shutdowns the OS. He walks up
to the 15th floor, plugs into another port that is assigned on VLAN 102
(10.199.29.0 / 24)

3. User boots up Laptop A, and it still get's his old IP address of
10.199.28.50 from VLAN 101.

4. I run an ipconfig /release. I get 0.0.0.0 (expected response)

5. I run an ipconfig /renew and I STILL GET 10.199.28.50 from VLAN 101,
although im plugged into a port that is assigned to VLAN 102
(10.199.29.0 / 24).


How is the Laptop able to get an IP address from a VLAN that is he is
not physically/logically connected? He is connected to VLAN 102
(10.199.29.0 / 24) but get's his old IP address from VLAN 101
(10.199.28.0 / 24). WTF?

The only way to force the laptop to get a valid IP that corresponds to
the current VLAN/subnet it's connected to, is to exclude it's old
address from the DHCP Server and then do an ipconfig /release and
/renew. Only then is it forced to get a new IP address that corresponds
to it's current VLAN/subnet.

It looks like the DHCP requests are somehow spanning or being
broadcasted across multiple VLANs, thus it's getting to the DHCP server
and allowing it to give the laptop it's old IP address, although the
request came from a completely different VLAN/subnet than it's old IP
address. .

I have looked EVERYWHERE on the internet for similar issues, and while
I found a few similar posts, the issue always turned out to be
something like the person didn't have IP helper assigned properly or
the DHCP server was having issues, yada yada.


Any help is greatly appreciated as this problem is starting to become
an issue as users tend to move around the office quite frequently.

TIA!

-omar



Omar

Omar explained :
> Ok, i'll do my best here to prevent tons of unecessary questions

> ENVIRONMENT:
> --------

> DHCP Server
> OS: Windows 2003 Server - Standard - R2
> IP Address: 10.199.25.14

> Scope 1: 10.199.28.0 / 24
> Scope 2: 10.199.29.0 / 24
> Scope 3: 10.199.30.0 / 24
> Scope 4: 10.199.31.0 / 24
> Scope 5: 10.199.32.0 / 24

> DHCP Server is assigned to VLAN 100

> -------

> Distribution Switch: Catalyst 4506

> VLAN 100 - 10.199.25.0 / 24 - Infrastructure Servers

> VLAN 101 - 10.199.28.0 / 24 - Developer
> VLAN 102 - 10.199.29.0 / 24 - QA
> VLAN 103 - 10.199.30.0 / 24 - Operations
> VLAN 104 - 10.199.31.0 / 24 - Tech Support
> VLAN 105 - 10.199.32.0 / 24 - General Users

> IP Helper Address: 10.199.25.14 (assigned to VLAN's 101-105)

> ----

> Pretty straightforward ey? VLAN 100 is for all my infrastructure
> servers. the remaining VLAN's handle all the users segments. All works
> well. Desktops/Laptops get their appropriate IP address based on the
> VLAN they are assigned to and the Scope that is associated with a
> VLAN's subnet.

> Now, here is where the problem crops up:

> 1. Laptop A in VLAN 101 currently has an IP address of 10.199.28.50.
> All is well.

> 2. User has a meeting and takes Laptop A, shutdowns the OS. He walks up
> to the 15th floor, plugs into another port that is assigned on VLAN 102
> (10.199.29.0 / 24)

> 3. User boots up Laptop A, and it still get's his old IP address of
> 10.199.28.50 from VLAN 101.

> 4. I run an ipconfig /release. I get 0.0.0.0 (expected response)

> 5. I run an ipconfig /renew and I STILL GET 10.199.28.50 from VLAN 101,
> although im plugged into a port that is assigned to VLAN 102
> (10.199.29.0 / 24).

> How is the Laptop able to get an IP address from a VLAN that is he is
> not physically/logically connected? He is connected to VLAN 102
> (10.199.29.0 / 24) but get's his old IP address from VLAN 101
> (10.199.28.0 / 24). WTF?

> The only way to force the laptop to get a valid IP that corresponds to
> the current VLAN/subnet it's connected to, is to exclude it's old
> address from the DHCP Server and then do an ipconfig /release and
> /renew. Only then is it forced to get a new IP address that corresponds
> to it's current VLAN/subnet.

> It looks like the DHCP requests are somehow spanning or being
> broadcasted across multiple VLANs, thus it's getting to the DHCP server
> and allowing it to give the laptop it's old IP address, although the
> request came from a completely different VLAN/subnet than it's old IP
> address. .

> I have looked EVERYWHERE on the internet for similar issues, and while
> I found a few similar posts, the issue always turned out to be
> something like the person didn't have IP helper assigned properly or
> the DHCP server was having issues, yada yada.

> Any help is greatly appreciated as this problem is starting to become
> an issue as users tend to move around the office quite frequently.

> TIA!

> -omar

I gather there is no routing being done between VLAN's?

I think that there is indeed a broadcast from the client but it is
answered by the original DHCP server (=by design) which indicates that
server (and thus the server's VLAN) can receive broadcasts from any
subnet

grtz

"Omar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> How is the Laptop able to get an IP address from a VLAN that is he is
> not physically/logically connected? He is connected to VLAN 102
> (10.199.29.0 / 24) but get's his old IP address from VLAN 101
> (10.199.28.0 / 24). WTF?

1. Setup looks great, but where is the LAN Router to route between the
segments? Giving us brand and model numbers doesn't help,...I haven't
memorized everyones products and what each model can do :-)
2. Just a guess, but, your Switch ports may be statically set to a certain
VLAN, but dynamically (frame tagging) able to exist on any subnet,...so the
laptop even though moved to a new switch port is still technically on the
same segment as before because the switch port is capable of "servicing"
multiple segments (1 static, but multiple dymanically [tagging]). This can
"confuse" the DHCP server so that it does not understand what segment the
"query" actually came from,...and since DHCP Clients always request the same
IP Config they had last time,...whala,...it gets the same Config instead of
being denied and being forced to get a new Config.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

1. There is no router needed because the VLAN's exist on the Catalyst
4506 distribution switch, which is layer three and handles the routing
between VLAN's internally. no router needed.

2. I believe I figured out what the issue is:

one thing I did not indicate is that the USER scopes are under a single
SuperScope on the DHCP Server. I thought Superscopes were just a simple
way to organize your scopes.

Apparently not.

By definition (from Microsoft) a Superscope is used for multi-neting,
and essentially tells the DHCP server that all scopes within the
Superscope are part of the same "physical segment". Thus what I think
is happening is that the DHCP server is ignoring the fact that the new
client DHCP request is coming from a different VLAN/subnet. Since it's
being told that all the Scopes exist on the same physical segment, he
is essentially ignoring the "giaddr" or "source address" from the
source VLAN that the client DHCP request is coming from, thus
essentially allowing the client to receive his old address even though
the request clearly came from a different VLAN.

I removed the superscope and doing some testing today to see if it's
fixed.

cheers!

-omar



Phillip Windell wrote:
> "Omar" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > How is the Laptop able to get an IP address from a VLAN that is he is
> > not physically/logically connected? He is connected to VLAN 102
> > (10.199.29.0 / 24) but get's his old IP address from VLAN 101
> > (10.199.28.0 / 24). WTF?
>
> 1. Setup looks great, but where is the LAN Router to route between the
> segments? Giving us brand and model numbers doesn't help,...I haven't
> memorized everyones products and what each model can do :-)
> 2. Just a guess, but, your Switch ports may be statically set to a certain
> VLAN, but dynamically (frame tagging) able to exist on any subnet,...so the
> laptop even though moved to a new switch port is still technically on the
> same segment as before because the switch port is capable of "servicing"
> multiple segments (1 static, but multiple dymanically [tagging]). This can
> "confuse" the DHCP server so that it does not understand what segment the
> "query" actually came from,...and since DHCP Clients always request the same
> IP Config they had last time,...whala,...it gets the same Config instead of
> being denied and being forced to get a new Config.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------

"Omar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> 1. There is no router needed because the VLAN's exist on the Catalyst
> 4506 distribution switch, which is layer three and handles the routing
> between VLAN's internally. no router needed.

A Layer3 Switch is a Router,...that is what I needed to know.

> 2. I believe I figured out what the issue is:
> one thing I did not indicate is that the USER scopes are under a single
> SuperScope on the DHCP Server. I thought Superscopes were just a simple
> way to organize your scopes.
> Apparently not.

I don't think there is any such thing as a User Scope,..a Scope is just a
Scope.
But you right, that is not what Superscopes are for,..they are for
multi-nets,...and they will cause exactly what you were experiencing.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

> I don't think there is any such thing as a User Scope,..a Scope is just a
> Scope.

nah, what I meant was my scopes that I setup for my users
(desktops/laptops). not implying that "user scope" was a "type" of
scope. :-)

cheers!

-omar



Phillip Windell wrote:
> "Omar" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > 1. There is no router needed because the VLAN's exist on the Catalyst
> > 4506 distribution switch, which is layer three and handles the routing
> > between VLAN's internally. no router needed.
>
> A Layer3 Switch is a Router,...that is what I needed to know.
>
> > 2. I believe I figured out what the issue is:
> > one thing I did not indicate is that the USER scopes are under a single
> > SuperScope on the DHCP Server. I thought Superscopes were just a simple
> > way to organize your scopes.
> > Apparently not.
>
> I don't think there is any such thing as a User Scope,..a Scope is just a
> Scope.
> But you right, that is not what Superscopes are for,..they are for
> multi-nets,...and they will cause exactly what you were experiencing.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------

<Roberto Valfredini> wrote in message
news:(E-Mail Removed)...
> I am using a superscope in Win2000 DHCP , should a normal scope solve the
> problem .
> I cannot test the config until next week ... do anybody face the same
> problem and solved it ?

Get rid of the Superscope.
Use one single, independent, normal Scope for each IP Segment.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Yup, get rid of the superscope. they are used for multi-neting and will
cause your DHCP server to ignore the VLAN identifier in the DHCP
request header from the client, ultimately allowing the client to get
it's original IP address from the previous VLAN it was connected to.

look up at my last post for a definition of SuperScopes.

good luck.

-omar




Phillip Windell wrote:
> <Roberto Valfredini> wrote in message
> news:(E-Mail Removed)...
> > I am using a superscope in Win2000 DHCP , should a normal scope solve the
> > problem .
> > I cannot test the config until next week ... do anybody face the same
> > problem and solved it ?
>
> Get rid of the Superscope.
> Use one single, independent, normal Scope for each IP Segment.
>
> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
> The views expressed are my own (as annoying as they are), and not those of
> my employer or anyone else associated with me.
> -----------------------------------------------------

I wish more people knew that.
I'd bet that over 50% of "DHCP questions" are exactly this issue.
I ought to have a "canned reply" for this one by now.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

"Omar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Yup, get rid of the superscope. they are used for multi-neting and will
> cause your DHCP server to ignore the VLAN identifier in the DHCP
> request header from the client, ultimately allowing the client to get
> it's original IP address from the previous VLAN it was connected to.
>
> look up at my last post for a definition of SuperScopes.
>
> good luck.
>
> -omar
>
>
>
>
> Phillip Windell wrote:
>> <Roberto Valfredini> wrote in message
>> news:(E-Mail Removed)...
>> > I am using a superscope in Win2000 DHCP , should a normal scope solve
>> > the
>> > problem .
>> > I cannot test the config until next week ... do anybody face the same
>> > problem and solved it ?
>>
>> Get rid of the Superscope.
>> Use one single, independent, normal Scope for each IP Segment.
>>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>> The views expressed are my own (as annoying as they are), and not those
>> of
>> my employer or anyone else associated with me.
>> -----------------------------------------------------
>