Jump to content
Калькуляторы

SNR2965_8 Не срабатывает dhcp snooping

Доброго времени суток... При конфиге:

 

ip dhcp snooping enable
!
!
!
!
!
!
Interface Ethernet1/0/1 (абоненский порт)
 switchport mode trunk
 switchport trunk allowed vlan *(Управляющий)
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
.........
Interface Ethernet1/0/10 (Uplink)
 switchport mode trunk
 switchport trunk allowed vlan *(Управляющий) 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!

Абонент перестаёт получать IP от DHCP сервера....Хотя 2965_24  с аналогичным конфигом всё работает исправно. Т.е откидывает абонентские dhcp сервера при этом пропуская наш. Тыкните пальцем что не так я делаю?

Edited by Egro

Share this post


Link to post
Share on other sites
В 18.05.2019 в 15:48, Egro сказал:

Абонент перестаёт получать IP от DHCP сервера....Хотя 2965_24  с аналогичным конфигом всё работает исправно. Т.е откидывает абонентские dhcp сервера при этом пропуская наш. Тыкните пальцем что не так я делаю?

Добрый день.

Не пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Версия ПО на коммутаторах аналогична? Покажите, пожалуйста, вывод show ver с S2965-8T. 

Также возможно будет полезна полная конфигурация коммутатора.

Share this post


Link to post
Share on other sites
1 час назад, Ivan Tarasenko сказал:

Добрый день.

Не пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера? Версия ПО на коммутаторах аналогична? Покажите, пожалуйста, вывод show ver с S2965-8T. 

Также возможно будет полезна полная конфигурация коммутатора.

!
service password-encryption
!
username admin privilege 15 password 7 **********
!
authentication line console login local
!
!
clock timezone Islamabad add 5 0
!
!
ssh-server enable
!
snmp-server enable
snmp-server securityip *.*.*.*
snmp-server securityip *.*.*.*
snmp-server community ro 7 ********
snmp-server user initial initial
snmp-server group ***** noauthnopriv read Community
snmp-server view CommunityView 1. include
snmp-server view CommunityView 1.3.6.1.6.3. exclude
snmp-server enable traps
!
ip forward-protocol udp bootps
!
!
ip dhcp snooping enable
!
!
!
!
!
!
!
loopback-detection interval-time 10 3
!
loopback-detection control-recovery timeout 30
!
loopback-detection trap enable
!
vlan 1 
!
vlan *
 name MANAGER
!
ip multicast source-control
!
firewall enable
!
access-list 110 deny tcp any-source any-destination d-port 135
access-list 110 deny tcp any-source any-destination d-port 136
access-list 110 deny tcp any-source any-destination d-port 137
access-list 110 deny tcp any-source any-destination d-port 138
access-list 110 deny tcp any-source any-destination d-port 139
access-list 110 deny tcp any-source any-destination d-port 445
access-list 110 deny tcp any-source any-destination d-port 1900
access-list 110 deny tcp any-source any-destination d-port 2869
access-list 110 deny udp any-source any-destination d-port 135
access-list 110 deny udp any-source any-destination d-port 136
access-list 110 deny udp any-source any-destination d-port 137
access-list 110 deny udp any-source any-destination d-port 138
access-list 110 deny udp any-source any-destination d-port 139
access-list 110 deny udp any-source any-destination d-port 445
access-list 110 deny udp any-source any-destination d-port 1900
access-list 110 deny udp any-source any-destination d-port 2869
access-list 110 permit ip any-source any-destination
access-list 110 deny tcp any-source s-port 135 any-destination
access-list 110 deny udp any-source s-port 135 any-destination
access-list 110 deny tcp any-source s-port 136 any-destination
access-list 110 deny udp any-source s-port 136 any-destination
access-list 110 deny tcp any-source s-port 137 any-destination
access-list 110 deny udp any-source s-port 137 any-destination
access-list 110 deny tcp any-source s-port 138 any-destination
access-list 110 deny udp any-source s-port 138 any-destination
access-list 110 deny tcp any-source s-port 139 any-destination
access-list 110 deny udp any-source s-port 139 any-destination
access-list 110 deny tcp any-source s-port 445 any-destination
access-list 110 deny udp any-source s-port 445 any-destination
access-list 110 deny tcp any-source s-port 1900 any-destination
access-list 110 deny udp any-source s-port 1900 any-destination
access-list 110 deny tcp any-source s-port 2869 any-destination
access-list 110 deny udp any-source s-port 2869 any-destination
 
!
userdefined-access-list standard offset window1 l4start 0 window2 l4start 2 
userdefined-access-list standard 1204 deny packet-type ipv4 window1 89 ffff window2 89 ffff
userdefined-access-list standard 1204 deny packet-type ipv4 window1 8a ffff window2 8a ffff
!
Interface Ethernet1/0/1
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/2
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/3
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/4
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/5
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/6
 switchport mode trunk
 switchport trunk allowed vlan * 
 loopback-detection specified-vlan 1;*
 loopback-detection control shutdown
 ip dhcp snooping action blackhole recovery 120
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/7
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/8
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/9
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
Interface Ethernet1/0/10
 switchport mode trunk
 switchport trunk allowed vlan * 
 ip dhcp snooping trust
 loopback-detection specified-vlan 1
 loopback-detection control shutdown
 storm-control broadcast 16
 storm-control multicast 16
 storm-control unicast 16
 ip access-group 110 in traffic-statistic
!
interface Vlan*
 ip address *.*.*.* 255.0.0.0
!
sntp server *.*.*.* version 2
!
no login
!
!
captive-portal
!
end

 

  SNR-S2965-8T Device, Compiled on May 16 10:56:37 2019                         
  sysLocation Building 57/2,Predelnaya st, Ekaterinburg, Russia                 
  CPU Mac f8:f0:82:7a:0b:bf                                                     
  Vlan MAC f8:f0:82:7a:0b:be                                                    
  SoftWare Version 7.0.3.5(R0241.0308)                                          
  BootRom Version 7.2.21                                                        
  HardWare Version 1.0.3                                                        
  CPLD Version N/A                                                              
  Serial No.:SW052610I505001504                                                 
  Copyright (C) 2019 NAG LLC                                                    
  All rights reserved                                                           
  Last reboot is warm reset.                                                    
  Uptime is 0 weeks, 0 days, 0 hours, 0 minutes 

 

Share this post


Link to post
Share on other sites

@Egroне пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера?

Еще можно применить

terminal monitor
debug ip dhcp snooping packet
debug ip dhcp snooping event

и собрать вывод консоли в момент попытки получить IP клиентом. Вывод лучше прикрепить к сообщению отдельным файлом.

Share this post


Link to post
Share on other sites
В 20.05.2019 в 14:31, Ivan Tarasenko сказал:

@Egroне пытались ли снять дамп с клиента и сопоставить его с логами DHCP-сервера?

Еще можно применить


terminal monitor
debug ip dhcp snooping packet
debug ip dhcp snooping event

и собрать вывод консоли в момент попытки получить IP клиентом. Вывод лучше прикрепить к сообщению отдельным файлом.

Вот вывод от этих команд при запросе айпи...

%Jun 12 21:02:38 2019 DHCPS: rcv packet from client 10-fe-ed-d4-c6-8b,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:38 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:39 2019 DHCPS: rcv packet from client 38-60-77-f5-3d-7f,
         interface Ethernet1/0/8(portID 0x1000008), length 346,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:39 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:39 2019 DHCPS: rcv packet from client b0-be-76-7f-83-61,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:39 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-62-f2-11,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-1f-93-59,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-63-09-37,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client b0-4e-26-63-3f-3f,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:40 2019 DHCPS: rcv packet from client f0-76-1c-25-fe-31,
         interface Ethernet1/0/8(portID 0x1000008), length 346,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:40 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:41 2019 DHCPS: do requset binding event:
%Jun 12 21:02:42 2019 DHCPS: rcv packet from client 38-60-77-f5-3d-7f,
         interface Ethernet1/0/8(portID 0x1000008), length 346,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:42 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1
%Jun 12 21:02:42 2019 DHCP SNOOPING: Delete a binding is failed
%Jun 12 21:02:42 2019 DHCPS: rcv packet from client b0-be-76-56-28-25,
         interface Ethernet1/0/8(portID 0x1000008), length 594,
         type DHCPDISCOVER, opcode BOOTREQUEST, stacking 0
%Jun 12 21:02:42 2019 DHCPS: flood dhcp pkt from Ethernet1/0/8 dst mac ff-ff-ff-ff-ff-ff
         to all up port except input port Ethernet1/0/8 in vlan 1

 

как только убираю 

ip dhcp snooping enable

Всё начинает отлично работать. Хочу ещё раз повторить, на 2965-24T проблем не замечается.

 

 

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this