Re: mac address issue

["Jude Naidoo" <jude007 () jnaidoo fsnet co uk>]

Hi Brian

I'm running MetaIP and have had similar problems.
The solution usually was changing the way the client requested a lease or a
mac address that was different in some way that just resulted in the DHCP
server getting its knickers in a  twist.

What do your logs say ? Sounds like the client is sent our a DHCP request,
your DHCP server is replying with an offer, but the client is sending back
an acknowledgement, but not using the ip address. The DHCP server, though,
has now reserved this ip address with a limited lease time. The client then
send out another DHCP discover and your DHCP server send out an offer. This
sometimes causes the DHCP server to hand out loads of addresses, until it
runs out.

The safest thing to do is give that client a static if you don't have the
energy or time to find out why it's behaving the way it is...

I hope this helps.

Jude


----- Original Message ----- 
From: "Brian Whitehead" <brian () whiteheadconsulting com>
To: "Jude Naidoo" <jude007 () jnaidoo fsnet co uk>
Sent: Tuesday, September 02, 2003 6:26 PM
Subject: Re: mac address issue


> Everything has been flushed, several times in fact.  The DHCP server is
> running on a Netware 6 box.
>
> -- 
> Brian
>
>
> Jude Naidoo said:
> > Hi Brian
> >
> > Have you tried flushing the arp cache on your switch ?
> >
> > What DHCP server are you using ?
> >
> > Jude
> > ----- Original Message -----
> > From: "Brian Whitehead" <brian () whiteheadconsulting com>
> > To: <security-basics () securityfocus com>
> > Sent: Tuesday, September 02, 2003 5:19 PM
> > Subject: mac address issue
> >
> >
> > I was wondering if anyone could point me in the right direction.  Lately
> > we have been having problems with IP duplication.  Looking at the arp
> > cache and dhcp logs it looks like either a mac address spoofing issue or
> > maybe just a hardware problem.  I'm seeing two different mac addresses
> > that appear to take over 20-30 different IP's all at one time causing an
> > IP conflict and then they are immediately released.  I haven't been able
> > to find these mac addresses on any device in the building.  The switches
> > don't seem to agree either.  One port on the core switch may have it in
> > it's arp cache, but the switch plugged into that port doesn't.  Nothing
is
> > making a lot of sense.  This has happened once or twice a day for the
last
> > 4-5 days.  If anyone has an idea of what to look at I would appreciate
it.
> > --
> > Brian
>
> --------------------------------------------------------------------------
-
> > Attend Black Hat Briefings & Training Federal, September 29-30
(Training),
> > October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
> > technical IT security event.  Modeled after the famous Black Hat event
in
> > Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
> > Symantec is the Diamond sponsor.  Early-bird registration ends September
> > 6.Visit us: www.blackhat.com
>
> --------------------------------------------------------------------------
--
> >



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------