Всем доброго времени суток.
Помогите пожалуйста настроить DHCP Opt.82 на SuperVlan.
В данный момент используем технологию vlan-to-peer.
Хотим перейти на SuperVlan + Opt.82
Оттестировали схему (vlan-to-peer) ISC-DHCP-->L3(Summit x460-24T)-->L2(SNR-S2960-24G) без SuperVlan, все отлично завилось.
В данный момент бьемся над схемой ISC-DHCP -->L3(Summit x460-24T)-->L3(SNR-S3750G-24S-E)-->L2(SNR-S2960-24G) с использованием SuperVlan.
В текущей конфигурации которая у нас получилась, на абонентском коммутаторе L2, получить адрес DHCP можно только один раз и только на одном порту. На остальных портах IP не получаем, при этом при снятии tcpdump видно что опция передается.
ISC-DHCP
option domain-name "172.16.0.2, 172.16.1.2 ";
default-lease-time 2400;
max-lease-time 2400;
authoritative;
log-facility local7;
local-address 10.10.0.2;
subnet 10.10.0.0 netmask 255.255.255.252 {
}
# Logging for debug begin
if exists agent.remote-id and exists agent.circuit-id {
log(info, "--------------------------------------------------------------------------");
log(info, concat("Lease for IP: ", binary-to-ascii(10, 8, ".", leased-address)));
log(info, concat("Lease for MAC: ", binary-to-ascii (16, 8, ":", suffix(hardware, 6))));
log(info, concat("Remote ID: ", binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6)), " ", "Circuit ID:
if binary-to-ascii(16, 8, "", substring(option agent.remote-id, 2, 1)) = "0" {
set switch-mac = concat("0", binary-to-ascii(16, 8, "", suffix(option agent.remote-id, 1)), ":", binary-to-ascii(16, 8,
} else {
set switch-mac = binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6));
}
set switch-addr = binary-to-ascii(10, 8, ".", packet(24, 4));
set switch-port = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 5, 1));
set switch-port-vlan = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2));
log(info, concat("Lease from: ", binary-to-ascii(10, 8, ".", leased-address), " via IP: ", switch-addr, " (MAC: ", switc
log(info, "--------------------------------------------------------------------------");
}
#shared-network fxp0 { include "/usr/local/etc/ng4.conf"; }
include "/usr/local/etc/dhcp/test.conf";
test.conf
class "test-sw01-p01" {
match if
binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "1";
}
class "test-sw01-p02" {
match if
binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "2";
}
class "office-sw01-p03" {
match if
binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "3";
}
class "test-sw01-p04" {
match if
binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "4";
}
class "test-sw01-p05" {
match if
binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "5";
}
subnet 172.16.14.0 netmask 255.255.255.0 {
dynamic-bootp-lease-length 180;
max-lease-time 2400;
default-lease-time 2400;
option routers 172.16.14.1;
option domain-name-servers 172.16.0.2, 172.16.1.2;
option subnet-mask 255.255.255.0;
pool { range 172.16.14.2; allow members of "office-sw01-p01"; }
pool { range 172.16.14.6; allow members of "office-sw01-p02"; }
pool { range 172.16.14.10; allow members of "office-sw01-p03"; }
pool { range 172.16.14.14; allow members of "office-sw01-p04"; }
pool { range 172.16.14.18; allow members of "office-sw01-p05"; }
}
L3(Summit x460-24T)
#
# Module ipSecurity configuration.
#
configure trusted-servers vlan vlan80 add server 10.10.0.2 trust-for dhcp-server
#
# Module netTools configuration.
#
configure bootprelay add 10.10.0.2 vr VR-Default
configure bootprelay dhcp-agent information policy keep vr VR-Default
enable bootprelay vlan Default
enable bootprelay vlan vlan515 (Vlan управления для 2-го L3 коммутатора)
L3(SNR-S3750G-24S-E)
service dhcp
ip forward-protocol udp bootps
ip dhcp snooping enable
ip dhcp snooping information option subscriber-id format hex
vlan 4
name supervlan
supervlan
subvlan 3374-3378
Interface Ethernet1/0/11 (порт подключения L2 коммутатора)
switchport mode hybrid
switchport hybrid allowed vlan 3374-3378 tag
switchport hybrid allowed vlan 1 untag
ip dhcp snooping trust
Interface Ethernet1/0/25 ( порт подключения к L3(Summit x460-24T))
description Uplink
switchport mode hybrid
switchport hybrid allowed vlan 1 untag
ip dhcp snooping trust
interface Vlan4
ip address 172.16.14.1 255.255.255.0
!forward protocol udp 67(active)!
ip helper-address 10.10.0.2
L2(SNR-S2960-24G)
service dhcp
ip dhcp snooping enable
ip dhcp snooping binding enable
ip dhcp snooping information enable
ip dhcp snooping information option subscriber-id format hex
firewall enable
ip access-list extended drop
deny tcp any-source s-port 135 any-destination
deny tcp any-source s-port 139 any-destination
deny tcp any-source s-port 445 any-destination
deny udp any-source s-port 1900 any-destination
permit tcp any-source any-destination
permit udp any-source any-destination
permit icmp any-source any-destination
deny tcp any-source s-port 137 any-destination
deny tcp any-source s-port 138 any-destination
deny tcp any-source s-port 2869 any-destination
deny udp any-source s-port 135 any-destination
deny udp any-source s-port 137 any-destination
deny udp any-source s-port 138 any-destination
deny udp any-source s-port 139 any-destination
deny udp any-source s-port 445 any-destination
deny udp any-source s-port 2869 any-destination
exit
Interface Ethernet1/1
switchport access vlan 3374
ip access-group drop in
am port
am ip-pool 172.16.14.2 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/2
switchport access vlan 3375
ip access-group drop in
am port
am ip-pool 172.16.14.6 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/3
switchport access vlan 3376
ip access-group drop in
am port
am ip-pool 172.16.14.10 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/4
switchport access vlan 3377
ip access-group drop in
am port
am ip-pool 172.16.14.14 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/5
switchport access vlan 3378
ip access-group drop in
am port
am ip-pool 172.16.14.18 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
Interface Ethernet1/28 (порт подключения к L3(SNR-S3750G-24S-E))
switchport mode hybrid
switchport hybrid allowed vlan 3374-3378 tag
switchport hybrid allowed vlan 1 untag
ip dhcp snooping trust
DUMP при подключении к порту на котором уже не получаем ip-address.
14:18:04.355508 IP 172.16.14.1.bootps > dhcp.meoz.bootps: BOOTP/DHCP, Request from 00:14:22:c0:51:dd (oui Unknown), length 315
14:18:04.371498 IP dhcp.meoz.bootps > 172.16.14.1.bootps: BOOTP/DHCP, Reply, length 324
14:18:04.452698 IP dhcp.meoz.61789 > host.ru.domain: 41807+ PTR? 1.14.16.172.in-addr.arpa. (42)
14:18:04.472622 IP host.ru.domain > dhcp.meoz.61789: 41807 NXDomain 0/0/0 (42)
Такая же ситуация (на одном порту получаем ip, на остальных нет), если мы поднимаем SubVlan на L3(Summit x460-24T) и подключаем к нему L2 коммутатор.
Помогите разобраться.
За ранее спасибо.