naker_1

Всем доброго времени суток. Помогите пожалуйста настроить DHCP Opt.82 на SuperVlan. В данный момент используем технологию vlan-to-peer. Хотим перейти на SuperVlan + Opt.82 Оттестировали схему (vlan-to-peer) ISC-DHCP-->L3(Summit x460-24T)-->L2(SNR-S2960-24G) без SuperVlan, все отлично завилось. В данный момент бьемся над схемой ISC-DHCP -->L3(Summit x460-24T)-->L3(SNR-S3750G-24S-E)-->L2(SNR-S2960-24G) с использованием SuperVlan. В текущей конфигурации которая у нас получилась, на абонентском коммутаторе L2, получить адрес DHCP можно только один раз и только на одном порту. На остальных портах IP не получаем, при этом при снятии tcpdump видно что опция передается. ISC-DHCP option domain-name "172.16.0.2, 172.16.1.2 "; default-lease-time 2400; max-lease-time 2400; authoritative; log-facility local7; local-address 10.10.0.2; subnet 10.10.0.0 netmask 255.255.255.252 { } # Logging for debug begin if exists agent.remote-id and exists agent.circuit-id { log(info, "--------------------------------------------------------------------------"); log(info, concat("Lease for IP: ", binary-to-ascii(10, 8, ".", leased-address))); log(info, concat("Lease for MAC: ", binary-to-ascii (16, 8, ":", suffix(hardware, 6)))); log(info, concat("Remote ID: ", binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6)), " ", "Circuit ID: if binary-to-ascii(16, 8, "", substring(option agent.remote-id, 2, 1)) = "0" { set switch-mac = concat("0", binary-to-ascii(16, 8, "", suffix(option agent.remote-id, 1)), ":", binary-to-ascii(16, 8, } else { set switch-mac = binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6)); } set switch-addr = binary-to-ascii(10, 8, ".", packet(24, 4)); set switch-port = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 5, 1)); set switch-port-vlan = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)); log(info, concat("Lease from: ", binary-to-ascii(10, 8, ".", leased-address), " via IP: ", switch-addr, " (MAC: ", switc log(info, "--------------------------------------------------------------------------"); } #shared-network fxp0 { include "/usr/local/etc/ng4.conf"; } include "/usr/local/etc/dhcp/test.conf"; test.conf class "test-sw01-p01" { match if binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "1"; } class "test-sw01-p02" { match if binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "2"; } class "office-sw01-p03" { match if binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "3"; } class "test-sw01-p04" { match if binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "4"; } class "test-sw01-p05" { match if binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "5"; } subnet 172.16.14.0 netmask 255.255.255.0 { dynamic-bootp-lease-length 180; max-lease-time 2400; default-lease-time 2400; option routers 172.16.14.1; option domain-name-servers 172.16.0.2, 172.16.1.2; option subnet-mask 255.255.255.0; pool { range 172.16.14.2; allow members of "office-sw01-p01"; } pool { range 172.16.14.6; allow members of "office-sw01-p02"; } pool { range 172.16.14.10; allow members of "office-sw01-p03"; } pool { range 172.16.14.14; allow members of "office-sw01-p04"; } pool { range 172.16.14.18; allow members of "office-sw01-p05"; } } L3(Summit x460-24T) # # Module ipSecurity configuration. # configure trusted-servers vlan vlan80 add server 10.10.0.2 trust-for dhcp-server # # Module netTools configuration. # configure bootprelay add 10.10.0.2 vr VR-Default configure bootprelay dhcp-agent information policy keep vr VR-Default enable bootprelay vlan Default enable bootprelay vlan vlan515 (Vlan управления для 2-го L3 коммутатора) L3(SNR-S3750G-24S-E) service dhcp ip forward-protocol udp bootps ip dhcp snooping enable ip dhcp snooping information option subscriber-id format hex vlan 4 name supervlan supervlan subvlan 3374-3378 Interface Ethernet1/0/11 (порт подключения L2 коммутатора) switchport mode hybrid switchport hybrid allowed vlan 3374-3378 tag switchport hybrid allowed vlan 1 untag ip dhcp snooping trust Interface Ethernet1/0/25 ( порт подключения к L3(Summit x460-24T)) description Uplink switchport mode hybrid switchport hybrid allowed vlan 1 untag ip dhcp snooping trust interface Vlan4 ip address 172.16.14.1 255.255.255.0 !forward protocol udp 67(active)! ip helper-address 10.10.0.2 L2(SNR-S2960-24G) service dhcp ip dhcp snooping enable ip dhcp snooping binding enable ip dhcp snooping information enable ip dhcp snooping information option subscriber-id format hex firewall enable ip access-list extended drop deny tcp any-source s-port 135 any-destination deny tcp any-source s-port 139 any-destination deny tcp any-source s-port 445 any-destination deny udp any-source s-port 1900 any-destination permit tcp any-source any-destination permit udp any-source any-destination permit icmp any-source any-destination deny tcp any-source s-port 137 any-destination deny tcp any-source s-port 138 any-destination deny tcp any-source s-port 2869 any-destination deny udp any-source s-port 135 any-destination deny udp any-source s-port 137 any-destination deny udp any-source s-port 138 any-destination deny udp any-source s-port 139 any-destination deny udp any-source s-port 445 any-destination deny udp any-source s-port 2869 any-destination exit Interface Ethernet1/1 switchport access vlan 3374 ip access-group drop in am port am ip-pool 172.16.14.2 1 ip dhcp snooping binding user-control ip dhcp snooping binding user-control max-user 1 ! Interface Ethernet1/2 switchport access vlan 3375 ip access-group drop in am port am ip-pool 172.16.14.6 1 ip dhcp snooping binding user-control ip dhcp snooping binding user-control max-user 1 ! Interface Ethernet1/3 switchport access vlan 3376 ip access-group drop in am port am ip-pool 172.16.14.10 1 ip dhcp snooping binding user-control ip dhcp snooping binding user-control max-user 1 ! Interface Ethernet1/4 switchport access vlan 3377 ip access-group drop in am port am ip-pool 172.16.14.14 1 ip dhcp snooping binding user-control ip dhcp snooping binding user-control max-user 1 ! Interface Ethernet1/5 switchport access vlan 3378 ip access-group drop in am port am ip-pool 172.16.14.18 1 ip dhcp snooping binding user-control ip dhcp snooping binding user-control max-user 1 Interface Ethernet1/28 (порт подключения к L3(SNR-S3750G-24S-E)) switchport mode hybrid switchport hybrid allowed vlan 3374-3378 tag switchport hybrid allowed vlan 1 untag ip dhcp snooping trust DUMP при подключении к порту на котором уже не получаем ip-address. 14:18:04.355508 IP 172.16.14.1.bootps > dhcp.meoz.bootps: BOOTP/DHCP, Request from 00:14:22:c0:51:dd (oui Unknown), length 315 14:18:04.371498 IP dhcp.meoz.bootps > 172.16.14.1.bootps: BOOTP/DHCP, Reply, length 324 14:18:04.452698 IP dhcp.meoz.61789 > host.ru.domain: 41807+ PTR? 1.14.16.172.in-addr.arpa. (42) 14:18:04.472622 IP host.ru.domain > dhcp.meoz.61789: 41807 NXDomain 0/0/0 (42) Такая же ситуация (на одном порту получаем ip, на остальных нет), если мы поднимаем SubVlan на L3(Summit x460-24T) и подключаем к нему L2 коммутатор. Помогите разобраться. За ранее спасибо.