IP addresses in a DHCP address pool on S series switch are exhausted

16

If the number of allocatable IP addresses in the address pool exceeds the number of DHCP clients connected to the DHCP server, the address pool resources may be exhausted in the following situation:
- Many attackers apply for IP addresses or an attacker applies for many IP addresses by changing the CHADDR field in DHCP Discover messages. In this case, configure DHCP snooping.
- The DHCP server ping function has been configured on the DHCP server. This function allows the switch to ping allocated IP addresses before sending DHCP Offer messages. Any reply to the ping packets may cause the DHCP server to consider that an IP address conflict occurs, resulting in exhaustion of address pool resources. To solve this problem, use either of the following methods:
1. Configure port mirroring on the DHCP server to obtain the packet header, and determine whether address pool exhaustion is caused by the second reason. If yes, disable the corresponding client.
2. Run the undo dhcp server ping packet command to disable the DHCP server ping function.

Other related questions:
Reasons why the DHCP address pool is exhausted on S series switches
If the allocated address pool resources far exceed the number of clients connected to a switch, the following causes may result in address pool exhaustion: - An attacker sends a large number of DHCP Discover messages by continuously changing the CHADDR field. As a result, the address pool resources are exhausted. In this case, DHCP snooping can be deployed. - DHCP server is configured with the DHCP server ping function. With this function, the switch attempts to ping the allocated address before sending the DHCP Offer message. If clients respond to ping packets on the network, the DHCP server may incorrectly determine address conflicts. As a result, the address pool resources are exhausted. There are two solutions: Obtain the packet header through port mirroring on the DHCP server and check whether the determination is correct. If so, the client can be disabled. 2. Disable the DHCP server ping function by using the undo dhcp server ping packet command.

Configure DHCP address pools on S series switch
When functioning as DHCP servers, S series switches (except S1700 switches) support the interface and global address pool configurations. - Interface address pool: The network segment to which the primary IP address of an interface belongs is an interface address pool. The DHCP server allocates IP addresses only on this network segment to clients connected to the interface. - Global address pool: 1. If a switch functioning as the DHCP server is on the same network segment as clients (that is, no DHCP relay agent is configured), the switch allocates IP addresses on the same network segment as the primary IP address of the interface connected to clients. If no primary IP address is configured for the interface or no address pool is on the same network segment as the interface's primary IP address, the clients cannot obtain IP addresses. 2. If a switch functioning as the DHCP server is on a different network segment from a DHCP client (that is, a DHCP relay agent is configured), the DHCP server parses the IP address (primary IP address of the first DHCP relay agent's interface) specified in the giaddr field of a DHCP Request packet, and allocates an IP address on the same network segment as the parsed IP address from an address pool to the client. If no address pool matches the parsed IP addresses, the client cannot obtain an IP address. When configuring address pools, follow the preceding rules to ensure that clients can obtain IP addresses.

DHCP address pool modes on S series switches
When an S series switch excluding the S1700 functions as the DHCP server, the switch supports the interface-based and global address pools. - Interface-based address pool The interface address pool is on the network segment where the primary IP address of an interface is located. The DHCP server can only select and assign IP addresses on the network segment to clients. - Global address pool 1. If the DHCP server is on the same network segment as clients (no relay agent is deployed), the DHCP server selects IP addresses in the address pool on the network segment where the primary IP address of the interface connected to clients is located. If the interface is not configured with the primary IP address or no address pool is on the same network segment as the primary IP address, clients cannot request IP addresses. 2. If the DHCP server and clients are on different network segments (a relay agent is deployed), the DHCP server parses the received IP address (the primary IP address of the first interface configured with the relay function) specified by the giaddr field in the DHCP Request message, and selects the address pool on the same network segment as the IP address to assign addresses. If the IP address does not match the corresponding address pool, clients cannot request IP addresses. Follow the preceding rules to ensure that a client can obtain an IP address.

Reason why the lease of some addresses in the address pool displays - on S series switches
Run the display ip pool [ { interface interface-pool-name | name ip-pool-name } [ start-ip-address [ end-ip-address ] | all | conflict | expired | used ] ] command to check DHCP address pool allocation on S series switches excluding the S1700. You can find that some addresses�?lease display -. This is because these addresses are one of idle, excluded, statically bound, and conflicting addresses.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top