Announcement

Collapse
No announcement yet.

DHCP W2K, flooded

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DHCP W2K, flooded

    Hi.

    Since a week I have my DHCP flooded with bad_address and Unique IDs (8digits, always the same last 6 digits ex. xx84a8c0). This makes the pool full and workstations unable to connect the network.
    I deleted them and they also came back.
    I suspected a rogue DHCP sitting on the network.
    I used dhcploc.exe to trace dhcp request and only found my DHCP server.
    I did also scan the network for UDP 67 and 68 and found nothing worng.

    Any ideas on how to resolve this issue.

    Regards

    Anormand

  • #2
    Re: DHCP W2K, flooded

    Are you allowing BOOTP clients to be serviced too. Look at your DHCP properties for the scope and go to the advanced tab.

    Check DHCP tab only.

    also, do you jetdirect cards on your LAN? I have had problems in the past with screaming HP jetdirect card flodding the network.

    If you have less than 50 users, change the least period down to say 1 hour and monitor the request coming in.

    Comment


    • #3
      Re: DHCP W2K, flooded

      Hi,

      DCHP Only, BootP is disabled

      Yes I do have about 15 jetdirects, all of them have static IPs, none of them are DCHP client.

      I have about 60 users, I start to think of moving everything to Static IP and keep DHCP only for visitors.

      I have now 31 bad_address in the Address Leases, all of them have the same digits and are sequencials.....

      ex: ab84a8c0, af84a8c0, b184a8c0, b284a8c0, b384a8c0, b484a8c0, b584a8c0, b6, ...... be84a8c0, bf84a8c0, ......, etc

      Any other ideas......

      Regards

      Comment


      • #4
        Re: DHCP W2K, flooded

        Don't discount the JetDirect with their static IP. I had a faulty Lexmark, MarkNet Pro (with a static IP) bring a network to its knees.
        1 1 was a racehorse.
        2 2 was 1 2.
        1 1 1 1 race 1 day,
        2 2 1 1 2

        Comment


        • #5
          Re: DHCP W2K, flooded

          I did review all printers configuration, I also moved all office PC from DHCP to fixed IP.

          Still get the same problem.... probably a device (PC or printer) left on the DHCP who's doing it.

          I will manually disconnect each device to see which one is causing the problem.

          Do you have any tools or ideas on doing faster (like a simple tool to find DHCP request, I already tried dhcploc but no success).

          Regards

          Comment


          • #6
            Re: DHCP W2K, flooded

            Install Ethereal http://www.ethereal.com/download.html and see where the traffic is being generated from.
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2

            Comment


            • #7
              Re: DHCP W2K, flooded

              Hi,

              I did run Ethereal and I found surprising thing !!!!

              The dhcp request came from 000BCD23BC64 the dhcp server's NIC has 000BCD23BC63.... and the the dhcp mmc it shows as: ab84a8c0, af84a8c0, b184a8c0, b284a8c0... etc,

              I cannot find any nic on the network with 000BCD23BC64.

              Have you seen something like that.... It seams this w2k server running AD/DC, DNS. WINS, Exchange 2k and DHCP with static IP no RRAS it's pooling itself on a virtual MAC ????

              Next step will be to disconnect the server from the network, attach it alone on a small switch to see if the problem persist. If yes, probably have the to update the driver or the NiC itself.
              The server is a Compaq Proliant DL380 with buildin nic HP NC7781 Gigabit Server Adapter.

              Any suggestions are welcome

              Regards,

              Comment


              • #8
                Re: DHCP W2K, flooded

                You don't happen to have a 2nd NIC card on the system do you??

                Comment


                • #9
                  Re: DHCP W2K, flooded

                  Will have to check, I am remote to this site now.
                  For sure only one card is in the device manager, only one network connection.

                  Regards

                  Comment


                  • #10
                    Re: DHCP W2K, flooded

                    The HP DL380 server has two built-in NICs. So how come only one is showing up? Even if it's not connected, you should have seen both.
                    Besides those, it has another Ethernet port, for the iLO. I would check also that this port is not mistakenly connected to the net. The default setting for iLO is to request DHCP addresses. This, unless the port is not connected and set up with static IP.

                    Sorin Solomon


                    In order to succeed, your desire for success should be greater than your fear of failure.
                    -

                    Comment

                    Working...
                    X