Egro Posted May 18, 2019 (edited) · Report post Доброго времени суток... При конфиге: ip dhcp snooping enable ! ! ! ! ! ! Interface Ethernet1/0/1 (абоненский порт) switchport mode trunk switchport trunk allowed vlan *(Управляющий) loopback-detection specified-vlan 1 loopback-detection control shutdown ip dhcp snooping action blackhole recovery 120 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! ......... Interface Ethernet1/0/10 (Uplink) switchport mode trunk switchport trunk allowed vlan *(Управляющий) ip dhcp snooping trust loopback-detection specified-vlan 1 loopback-detection control shutdown storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Абонент перестаёт получать IP от DHCP сервера....Хотя 2965_24 с аналогичным конфигом всё работает исправно. Т.е откидывает абонентские dhcp сервера при этом пропуская наш. Тыкните пальцем что не так я делаю? Edited May 18, 2019 by Egro Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Ivan Tarasenko Posted May 20, 2019 · Report post В 18.05.2019 в 15:48, Egro сказал: Абонент перестаёт получать IP от DHCP сервера....Хотя 2965_24 с аналогичным конфигом всё работает исправно. Т.е откидывает абонентские dhcp сервера при этом пропуская наш. Тыкните пальцем что не так я делаю? Добрый день. Не пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Версия ПО на коммутаторах аналогична? Покажите, пожалуйста, вывод show ver с S2965-8T. Также возможно будет полезна полная конфигурация коммутатора. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Egro Posted May 20, 2019 · Report post 1 час назад, Ivan Tarasenko сказал: Добрый день. Не пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Версия ПО на коммутаторах аналогична? Покажите, пожалуйста, вывод show ver с S2965-8T. Также возможно будет полезна полная конфигурация коммутатора. ! service password-encryption ! username admin privilege 15 password 7 ********** ! authentication line console login local ! ! clock timezone Islamabad add 5 0 ! ! ssh-server enable ! snmp-server enable snmp-server securityip *.*.*.* snmp-server securityip *.*.*.* snmp-server community ro 7 ******** snmp-server user initial initial snmp-server group ***** noauthnopriv read Community snmp-server view CommunityView 1. include snmp-server view CommunityView 1.3.6.1.6.3. exclude snmp-server enable traps ! ip forward-protocol udp bootps ! ! ip dhcp snooping enable ! ! ! ! ! ! ! loopback-detection interval-time 10 3 ! loopback-detection control-recovery timeout 30 ! loopback-detection trap enable ! vlan 1 ! vlan * name MANAGER ! ip multicast source-control ! firewall enable ! access-list 110 deny tcp any-source any-destination d-port 135 access-list 110 deny tcp any-source any-destination d-port 136 access-list 110 deny tcp any-source any-destination d-port 137 access-list 110 deny tcp any-source any-destination d-port 138 access-list 110 deny tcp any-source any-destination d-port 139 access-list 110 deny tcp any-source any-destination d-port 445 access-list 110 deny tcp any-source any-destination d-port 1900 access-list 110 deny tcp any-source any-destination d-port 2869 access-list 110 deny udp any-source any-destination d-port 135 access-list 110 deny udp any-source any-destination d-port 136 access-list 110 deny udp any-source any-destination d-port 137 access-list 110 deny udp any-source any-destination d-port 138 access-list 110 deny udp any-source any-destination d-port 139 access-list 110 deny udp any-source any-destination d-port 445 access-list 110 deny udp any-source any-destination d-port 1900 access-list 110 deny udp any-source any-destination d-port 2869 access-list 110 permit ip any-source any-destination access-list 110 deny tcp any-source s-port 135 any-destination access-list 110 deny udp any-source s-port 135 any-destination access-list 110 deny tcp any-source s-port 136 any-destination access-list 110 deny udp any-source s-port 136 any-destination access-list 110 deny tcp any-source s-port 137 any-destination access-list 110 deny udp any-source s-port 137 any-destination access-list 110 deny tcp any-source s-port 138 any-destination access-list 110 deny udp any-source s-port 138 any-destination access-list 110 deny tcp any-source s-port 139 any-destination access-list 110 deny udp any-source s-port 139 any-destination access-list 110 deny tcp any-source s-port 445 any-destination access-list 110 deny udp any-source s-port 445 any-destination access-list 110 deny tcp any-source s-port 1900 any-destination access-list 110 deny udp any-source s-port 1900 any-destination access-list 110 deny tcp any-source s-port 2869 any-destination access-list 110 deny udp any-source s-port 2869 any-destination ! userdefined-access-list standard offset window1 l4start 0 window2 l4start 2 userdefined-access-list standard 1204 deny packet-type ipv4 window1 89 ffff window2 89 ffff userdefined-access-list standard 1204 deny packet-type ipv4 window1 8a ffff window2 8a ffff ! Interface Ethernet1/0/1 switchport mode trunk switchport trunk allowed vlan * loopback-detection specified-vlan 1 loopback-detection control shutdown ip dhcp snooping action blackhole recovery 120 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/2 switchport mode trunk switchport trunk allowed vlan * loopback-detection specified-vlan 1 loopback-detection control shutdown ip dhcp snooping action blackhole recovery 120 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/3 switchport mode trunk switchport trunk allowed vlan * loopback-detection specified-vlan 1;* loopback-detection control shutdown ip dhcp snooping action blackhole recovery 120 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/4 switchport mode trunk switchport trunk allowed vlan * loopback-detection specified-vlan 1;* loopback-detection control shutdown ip dhcp snooping action blackhole recovery 120 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/5 switchport mode trunk switchport trunk allowed vlan * loopback-detection specified-vlan 1;* loopback-detection control shutdown ip dhcp snooping action blackhole recovery 120 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/6 switchport mode trunk switchport trunk allowed vlan * loopback-detection specified-vlan 1;* loopback-detection control shutdown ip dhcp snooping action blackhole recovery 120 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/7 switchport mode trunk switchport trunk allowed vlan * ip dhcp snooping trust loopback-detection specified-vlan 1 storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/8 switchport mode trunk switchport trunk allowed vlan * ip dhcp snooping trust loopback-detection specified-vlan 1 loopback-detection control shutdown storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/9 switchport mode trunk switchport trunk allowed vlan * ip dhcp snooping trust loopback-detection specified-vlan 1 loopback-detection control shutdown storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! Interface Ethernet1/0/10 switchport mode trunk switchport trunk allowed vlan * ip dhcp snooping trust loopback-detection specified-vlan 1 loopback-detection control shutdown storm-control broadcast 16 storm-control multicast 16 storm-control unicast 16 ip access-group 110 in traffic-statistic ! interface Vlan* ip address *.*.*.* 255.0.0.0 ! sntp server *.*.*.* version 2 ! no login ! ! captive-portal ! end SNR-S2965-8T Device, Compiled on May 16 10:56:37 2019 sysLocation Building 57/2,Predelnaya st, Ekaterinburg, Russia CPU Mac f8:f0:82:7a:0b:bf Vlan MAC f8:f0:82:7a:0b:be SoftWare Version 7.0.3.5(R0241.0308) BootRom Version 7.2.21 HardWare Version 1.0.3 CPLD Version N/A Serial No.:SW052610I505001504 Copyright (C) 2019 NAG LLC All rights reserved Last reboot is warm reset. Uptime is 0 weeks, 0 days, 0 hours, 0 minutes Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Ivan Tarasenko Posted May 20, 2019 · Report post @Egroне пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Еще можно применить terminal monitor debug ip dhcp snooping packet debug ip dhcp snooping event и собрать вывод консоли в момент попытки получить IP клиентом. Вывод лучше прикрепить к сообщению отдельным файлом. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Egro Posted June 12, 2019 · Report post В 20.05.2019 в 14:31, Ivan Tarasenko сказал: @Egroне пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Еще можно применить terminal monitor debug ip dhcp snooping packet debug ip dhcp snooping event и собрать вывод консоли в момент попытки получить IP клиентом. Вывод лучше прикрепить к сообщению отдельным файлом. Вот вывод от этих команд при запросе айпи... %Jun 12 21:02:38 2019 DHCPS: rcv packet from client 10-fe-ed-d4-c6-8b, interface Ethernet1/0/8(portID 0x1000008), length 594, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:38 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:39 2019 DHCPS: rcv packet from client 38-60-77-f5-3d-7f, interface Ethernet1/0/8(portID 0x1000008), length 346, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:39 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:39 2019 DHCPS: rcv packet from client b0-be-76-7f-83-61, interface Ethernet1/0/8(portID 0x1000008), length 594, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:39 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-62-f2-11, interface Ethernet1/0/8(portID 0x1000008), length 594, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-1f-93-59, interface Ethernet1/0/8(portID 0x1000008), length 594, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-63-09-37, interface Ethernet1/0/8(portID 0x1000008), length 594, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-63-3f-3f, interface Ethernet1/0/8(portID 0x1000008), length 594, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:40 2019 DHCPS: rcv packet from client f0-76-1c-25-fe-31, interface Ethernet1/0/8(portID 0x1000008), length 346, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:41 2019 DHCPS: do requset binding event: %Jun 12 21:02:42 2019 DHCPS: rcv packet from client 38-60-77-f5-3d-7f, interface Ethernet1/0/8(portID 0x1000008), length 346, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:42 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 %Jun 12 21:02:42 2019 DHCP SNOOPING: Delete a binding is failed %Jun 12 21:02:42 2019 DHCPS: rcv packet from client b0-be-76-56-28-25, interface Ethernet1/0/8(portID 0x1000008), length 594, type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0 %Jun 12 21:02:42 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff to all up port except input port Ethernet1/0/8 in vlan 1 как только убираю ip dhcp snooping enable Всё начинает отлично работать. Хочу ещё раз повторить, на 2965-24T проблем не замечается. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Aleksey Sonkin Posted June 13, 2019 · Report post @Egro Добрый день! Откройте, пожалуйста, обращение на support.nag.ru. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...