Jump to content
Калькуляторы

SNR2965_8 Не срабатывает dhcp snooping

Доброго времени суток... При конфиге:

 

ip dhcp snooping enable
!
!
!
!
!
!
Interface Ethernet1/0/1 (абоненский порт)
 switchport mode trunk
 switchport trunk allowed vlan *(Управляющий)
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
.........
Interface Ethernet1/0/10 (Uplink)
 switchport mode trunk
 switchport trunk allowed vlan *(Управляющий) 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!

Абонент перестаёт получать IP от DHCP сервера....Хотя 2965_24  с аналогичным конфигом всё работает исправно. Т.е откидывает абонентские dhcp сервера при этом пропуская наш. Тыкните пальцем что не так я делаю?

Edited by Egro

Share this post


Link to post
Share on other sites

В 18.05.2019 в 15:48, Egro сказал:

Абонент перестаёт получать IP от DHCP сервера....Хотя 2965_24  с аналогичным конфигом всё работает исправно. Т.е откидывает абонентские dhcp сервера при этом пропуская наш. Тыкните пальцем что не так я делаю?

Добрый день.

Не пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Версия ПО на коммутаторах аналогична? Покажите, пожалуйста, вывод show ver с S2965-8T. 

Также возможно будет полезна полная конфигурация коммутатора.

Share this post


Link to post
Share on other sites

1 час назад, Ivan Tarasenko сказал:

Добрый день.

Не пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Версия ПО на коммутаторах аналогична? Покажите, пожалуйста, вывод show ver с S2965-8T. 

Также возможно будет полезна полная конфигурация коммутатора.

!
service password-encryption
!
username admin privilege 15 password 7 **********
!
authentication line console login local
!
!
clock timezone Islamabad add 5 0
!
!
ssh-server enable
!
snmp-server enable
snmp-server securityip *.*.*.*
snmp-server securityip *.*.*.*
snmp-server community ro 7 ********
snmp-server user initial initial
snmp-server group ***** noauthnopriv read Community
snmp-server view CommunityView 1. include
snmp-server view CommunityView 1.3.6.1.6.3. exclude
snmp-server enable traps
!
ip forward-protocol udp bootps
!
!
ip dhcp snooping enable
!
!
!
!
!
!
!
loopback-detection interval-time 10 3
!
loopback-detection control-recovery timeout 30
!
loopback-detection trap enable
!
vlan 1 
!
vlan *
 name MANAGER
!
ip multicast source-control
!
firewall enable
!
access-list 110 deny tcp any-source any-destination d-port 135
access-list 110 deny tcp any-source any-destination d-port 136
access-list 110 deny tcp any-source any-destination d-port 137
access-list 110 deny tcp any-source any-destination d-port 138
access-list 110 deny tcp any-source any-destination d-port 139
access-list 110 deny tcp any-source any-destination d-port 445
access-list 110 deny tcp any-source any-destination d-port 1900
access-list 110 deny tcp any-source any-destination d-port 2869
access-list 110 deny udp any-source any-destination d-port 135
access-list 110 deny udp any-source any-destination d-port 136
access-list 110 deny udp any-source any-destination d-port 137
access-list 110 deny udp any-source any-destination d-port 138
access-list 110 deny udp any-source any-destination d-port 139
access-list 110 deny udp any-source any-destination d-port 445
access-list 110 deny udp any-source any-destination d-port 1900
access-list 110 deny udp any-source any-destination d-port 2869
access-list 110 permit ip any-source any-destination
access-list 110 deny tcp any-source s-port 135 any-destination
access-list 110 deny udp any-source s-port 135 any-destination
access-list 110 deny tcp any-source s-port 136 any-destination
access-list 110 deny udp any-source s-port 136 any-destination
access-list 110 deny tcp any-source s-port 137 any-destination
access-list 110 deny udp any-source s-port 137 any-destination
access-list 110 deny tcp any-source s-port 138 any-destination
access-list 110 deny udp any-source s-port 138 any-destination
access-list 110 deny tcp any-source s-port 139 any-destination
access-list 110 deny udp any-source s-port 139 any-destination
access-list 110 deny tcp any-source s-port 445 any-destination
access-list 110 deny udp any-source s-port 445 any-destination
access-list 110 deny tcp any-source s-port 1900 any-destination
access-list 110 deny udp any-source s-port 1900 any-destination
access-list 110 deny tcp any-source s-port 2869 any-destination
access-list 110 deny udp any-source s-port 2869 any-destination
 
!
userdefined-access-list standard offset window1 l4start 0 window2 l4start 2 
userdefined-access-list standard 1204 deny packet-type ipv4 window1 89 ffff window2 89 ffff
userdefined-access-list standard 1204 deny packet-type ipv4 window1 8a ffff window2 8a ffff
!
Interface Ethernet1/0/1
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/2
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/3
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/4
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/5
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/6
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/7
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/8
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/9
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/10
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
interface Vlan*
 ip address *.*.*.* 255.0.0.0
!
sntp server *.*.*.* version 2
!
no login
!
!
captive-portal
!
end

 

  SNR-S2965-8T Device, Compiled on May 16 10:56:37 2019                         
  sysLocation Building 57/2,Predelnaya st, Ekaterinburg, Russia                 
  CPU Mac f8:f0:82:7a:0b:bf                                                     
  Vlan MAC f8:f0:82:7a:0b:be                                                    
  SoftWare Version 7.0.3.5(R0241.0308)                                          
  BootRom Version 7.2.21                                                        
  HardWare Version 1.0.3                                                        
  CPLD Version N/A                                                              
  Serial No.:SW052610I505001504                                                 
  Copyright (C) 2019 NAG LLC                                                    
  All rights reserved                                                           
  Last reboot is warm reset.                                                    
  Uptime is 0 weeks, 0 days, 0 hours, 0 minutes 

 

Share this post


Link to post
Share on other sites

@Egroне пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера?

Еще можно применить

terminal monitor
debug ip dhcp snooping packet
debug ip dhcp snooping event

и собрать вывод консоли в момент попытки получить IP клиентом. Вывод лучше прикрепить к сообщению отдельным файлом.

Share this post


Link to post
Share on other sites

В 20.05.2019 в 14:31, Ivan Tarasenko сказал:

@Egroне пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера?

Еще можно применить


terminal monitor
debug ip dhcp snooping packet
debug ip dhcp snooping event

и собрать вывод консоли в момент попытки получить IP клиентом. Вывод лучше прикрепить к сообщению отдельным файлом.

Вот вывод от этих команд при запросе айпи...

%Jun 12 21:02:38 2019 DHCPS: rcv packet from client 10-fe-ed-d4-c6-8b,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:38 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:39 2019 DHCPS: rcv packet from client 38-60-77-f5-3d-7f,
         interface Ethernet1/0/8(portID 0x1000008), length 346,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:39 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:39 2019 DHCPS: rcv packet from client b0-be-76-7f-83-61,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:39 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-62-f2-11,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-1f-93-59,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-63-09-37,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-63-3f-3f,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client f0-76-1c-25-fe-31,
         interface Ethernet1/0/8(portID 0x1000008), length 346,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:41 2019 DHCPS: do requset binding event:
%Jun 12 21:02:42 2019 DHCPS: rcv packet from client 38-60-77-f5-3d-7f,
         interface Ethernet1/0/8(portID 0x1000008), length 346,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:42 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:42 2019 DHCP SNOOPING: Delete a binding is failed
%Jun 12 21:02:42 2019 DHCPS: rcv packet from client b0-be-76-56-28-25,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:42 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1

 

как только убираю 

ip dhcp snooping enable

Всё начинает отлично работать. Хочу ещё раз повторить, на 2965-24T проблем не замечается.

 

 

 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.