The on-line configuration help for the ip dhcp conflict logging configuration command (logging: Record address conflicts in a log file) is one of the more misleading texts I've found in Cisco IOS (and the CCO documentation is not much better). Here's how it actually works ...
If you have configured ip dhcp ping parameters (highly recommended), the router will ping the IP address it intends to allocate to a client before replying to the DHCP request. If the router receives ICMP Echo Reply message (response to ping), the address is obviously in use. If the DHCP conflict logging is enabled (default), the router will log the conflict with a syslog message (not in a separate log file) and put the address on the list of conflicts. The addresses on that list (displayed with show ip dhcp conflict) are not used in the future (similar to the addresses configured with the ip dhcp excluded-addresses command). To reuse a conflicting address, the network operator has to remove it from the list with the clear ip dhcp conflict address (or * for all addresses) command.
The DHCP conflict logging makes sense if the router uses persistent DHCP bindings (called DHCP database agents in Cisco IOS), otherwise any addresses allocated prior to a router reload would be reported as conflicts after the bindings are lost. If you don't use DHCP agents, it's thus best to turn off conflict logging with the no ip dhcp conflict logging configuration command. Even without conflict logging, there's no DHCP functionality loss and no chance of duplicate address allocation, as the router would still check whether an IP address is active before allocating it (and later on, it would be willing to re-check the conflicting IP address).
If you don't use DHCP database agents and you don't disable conflict logging (default setup), you'll have to clear the conflicts manually after a reload and you might potentially exhaust the DHCP pool because of a large number of blocked conflicting addresses.
Note: This article is part of You've asked for it series.
Posts
Good explanation. How does the gratuitious arp work then in the "show ip dhcp conflict"?
ReplyDeleteAny inside?
Will check & post.
ReplyDeleteJust ran into this issue, i imagined how it worked. Great explanation, will disable the conflicts logging, even if is interesting to know that there was a problem.
ReplyDeleteThere is no timer that could automagically clear the list of bindings (simmilar to errdisable recovery cause ...) ?
Ivan, I've reading your blog for years, this is my first question. I manage a largish network with 100 sites and about 4000 Cisco devices. For the last 10 years we used a single, centralized ISC DHCP server. Recently for various reasons too involved to explain here, it has become retarded. IN desperation I have enabled dhcp on all our 100 or so 6500s. We are not logging dchp conflicts, and so far all seems OK. However, I miss the extensive logging we used to obtain with ISC. I was thinking of enabling a DHCP db agent and turning on conflict logging, but your blog post above gives me pause. I've been googling madly and can't find much info on the use of an external dhcp db server, or how to configure it.
ReplyDeleteIs there a way to obtain more info about the dhcp bindings and clients without having either a single point of failure (the external db server) or worrying about the problems with conflicts you describe above?
TIA,
Steve
:-P :-P :-P :-P
ReplyDeleteThis saved me today, thanks!
ReplyDelete