The IP addresses of wired terminals frequently change.
The attempt to bind an IP address in the address pool to an online PC failed, and an error message is displayed, indicating that the address state is incorrect. However, an IP address is successfully bound to another online PC.
Analyze the IP address conflict of wired network segments, and it is found the Detect Type is ARP. That is, when a terminal obtains an IP address, it detects an IP address conflict.
<nj-core6720-19F-1> more conflict.txt
Conflict file updated at 09/30/2018 16:38:32
Pool name: Vlanif19
IP Detect Time Detect Type
10.64.29.8 09/29/2018 10:21:46 arp
10.64.29.13 09/28/2018 11:21:05 arp
10.64.29.14 09/28/2018 11:32:37 arp
10.64.29.20 09/29/2018 03:00:08 arp
10.64.29.32 09/28/2018 10:55:08 arp
10.64.29.39 09/28/2018 10:02:57 arp
10.64.30.164 09/30/2018 04:11:12 arp
The restart of the core switch results in the loss of address allocation records, which may cause address conflicts. However, address conflict detection using ARP probe packets may also report false address conflicts. According to the customer, 802.1X authentication has been configured on the access switch, so a false conflict may be reported.
[nj-acc5720-19F-1-POE]display current-configuration | inc arp
access-user arp-detect default ip-address 0.0.0.0
[nj-acc5720-19F-1-POE] display access-user mac-address 8c16-4582-faae
User ID : 376
User name : HOBOT\lu.bai
Domain-name : hobot_dot1x.cc
User MAC : 8c16-4582-faae
User IP address : 192.168.1.119
User vpn-instance : -
User IPv6 address : -
User access Interface : GigabitEthernet2/0/18
User vlan event : Success
QinQVlan/UserVlan : 0/19
User vlan source : user request
User access time : 2018/09/29 16:25:32
User accounting session ID : nj-acc50201800000001949fbcd0000178
Option82 information : -
User access type : 802.1x
Terminal Device Type : Data Terminal
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : None
[nj-acc5720-19F-1-POE]display dhcp snooping statistics
DHCP Snooping Statistics:
Dhcp Discover: 106
Dhcp Request: 1310
Dhcp Decline: 38
Dhcp Release: 2
Dhcp Inform: 15
Dhcp Offer: 1578
Dhcp Ack: 5112
Dhcp Nak: 152
Dropped by mac-address check: 0
Dropped by untrust reply: 0
Dropped by request conflict: 0
Dropped by untrust relay-forw: 0
Delete DHCP snooping table:
Receive release packet: 2
Receive decline packet: 38
Lease expired: 0
User command: 0
Client transfers: 4
Interface down: 52
Arp detect: 0
Ucm notify: 0
When a wired terminal attempts to obtain an IP address (triggered by inserting or removing a network cable), it receives an ARP probe packet from the access switch. An IP address conflict is falsely reported. As a result, the terminal address changes.
The IP address pool only allows idle (or expired) IP addresses to be bound to terminals. Therefore, online users cannot be bound to their own IP addresses.
An IP address is successfully bound to the other PC because the PC address allocation record was lost due to a device restart two days ago. The device does not respond to the PC request for going online in two steps, and the PC does not automatically switch to the four-step online mode. Instead, the PC directly uses the temporary IP address with a lease of 7 days. As a result, the IP address is still in the idle state on the device. Therefore, the binding is successful.
Change the source IP address and source MAC address of the ARP probe packet on the access switch to prevent the terminal from reporting address conflict incorrectly.
[HUAWEI] access-user arp-detect vlan 19 ip-address 10.64.28.1 mac-address 340a-9867-9765
In the command, 10.64.28.1 is the gateway address of VLAN 19, and 340a-9867-9765 is the MAC address of the gateway for VLAN 19.
Configure the function of saving IP address allocation records on the core switch to prevent address allocation records from being lost after restart.
[HUAWEI] dhcp server database enable
[HUAWEI] dhcp server database recover