Resolving IP Conflicts between DHCP servers using split scopes

Overview

IPAM may detect IP conflicts between two DHCP servers if they are utilizing split scopes in shared subnets. The following notifications appear in the IPAM events:

The IP address 10.38.XX.XXX is in conflict. 
The following devices were detected on network with same IP address:
- Dhcp Leases MAC: 00-25-64-XX-XX-XX, MAC: 00-00-FF-XX-XX-XX

The message indicates that the IP address of 10.38.XX.XXX is in conflict because one DHCP server found a lease existing on that IP with the MAC of  00-25-64-XX-XX-XX and the other DHCP server found a lease existing on that IP with the MAC of 00-00-FF-XX-XX-XX.

There should only be two reasons why two separate DHCP servers in IPAM should be managing the same IP:

• The subnet is being managed through split scopes between both DHCP servers.
• The DHCPs are in a replicated configuration. Replicated DHCP server monitoring is not supported in IPAM. More information on Inaccurate IP results from replicating DHCP servers.

Environment

• IPAM 4+
• Multiple DHCP servers

Cause 

The IP conflict is caused by both DHCP servers managing the same IP and issuing lease information to them. In a correctly configured split scope, two DHCP servers setup scopes within the same subnet. Once that scope is setup however, each DHCP server must set an exclusion range that is the opposite of the other DHCP server within that range.

The IP conflict occurs because the exclusion ranges were not setup correctly and there are gaps in the managed subnet. For example:

• DHCP 1 and DHCP 2 setup a scope on the same subnet of 10.10.0.0 /24
• DHCP 1 sets it's exclusion range to be from 10.10.0.1 - 10.10.0.100
• DHCP 2 sets it's exclusion range to be from 10.10.0.105 - 10.10.0.254
• DHCP 1 controls the IP range of 10.10.0.101 - 10.10.0.254
• DHCP 2 controls the IP range of 10.10.0.1 - 10.10.0.104
• IP range of 10.10.0.101 to .104 is not within the exclusion range of either, so both DHCP servers manage it.

Both servers are controlling that small range, each of them will assign leases to the IPs. Because IPAM does not have the ability to sync, chain or schedule scans, DHCP 1 and DHCP 2 can be scanned at completely different times. If the lease expires from the IP and each server assigns a new lease, IPAM will only be made aware of it when the first DHCP server is scanned.
 

The lease information for the second DHCP will still remain as it was before until such time it is scanned. As such, the IP will have two different leases in the database and the IP conflict queries will see that the same IP has a different MAC from a lease and flag it as an IP conflict between two DHCP servers.

Resolution

1. Verify that the IP in conflict is outside the exclusion list of either scope. You can verify this information on the DHCP server directly.
2. Verify that the IP and scopes are not in a replicated DHCP scenario. You can verify this information on the DHCP server directly.
3. Correct the scope ranges to doe one of the following: either correct the exclusion ranges to encompass the entire range or set the managed range to specific boundaries. Once the ranges are correct, the scan should pick up the modifications to the scope and reflect it in IPAM. If it does not, select the Scope in IPAMs DHCP & DNS Managment section under DHCP Scopes. Click Delete, then Scan the DHCP server again.