SuperVlan + DHCP Opt.82

[naker_1]

Всем доброго времени суток.

 

Помогите пожалуйста настроить DHCP Opt.82 на SuperVlan.

В данный момент используем технологию vlan-to-peer.

Хотим перейти на SuperVlan + Opt.82

Оттестировали схему (vlan-to-peer) ISC-DHCP-->L3(Summit x460-24T)-->L2(SNR-S2960-24G) без SuperVlan, все отлично завилось.

В данный момент бьемся над схемой ISC-DHCP -->L3(Summit x460-24T)-->L3(SNR-S3750G-24S-E)-->L2(SNR-S2960-24G) с использованием SuperVlan.

В текущей конфигурации которая у нас получилась, на абонентском коммутаторе L2, получить адрес DHCP можно только один раз и только на одном порту. На остальных портах IP не получаем, при этом при снятии tcpdump видно что опция передается.

 

ISC-DHCP

 
option domain-name "172.16.0.2, 172.16.1.2 ";
default-lease-time 2400;
max-lease-time 2400;
authoritative;
log-facility local7;
local-address 10.10.0.2;

subnet 10.10.0.0 netmask 255.255.255.252 {
}


# Logging for debug begin
if exists agent.remote-id and exists agent.circuit-id {
   log(info, "--------------------------------------------------------------------------");
   log(info, concat("Lease for IP:  ", binary-to-ascii(10, 8, ".", leased-address)));
   log(info, concat("Lease for MAC: ", binary-to-ascii (16, 8, ":", suffix(hardware, 6))));
   log(info, concat("Remote ID:     ", binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6)), " ", "Circuit ID:
   if binary-to-ascii(16, 8, "", substring(option agent.remote-id, 2, 1)) = "0" {
       set switch-mac = concat("0", binary-to-ascii(16, 8, "", suffix(option agent.remote-id, 1)), ":", binary-to-ascii(16, 8,
   } else {
       set switch-mac = binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6));
   }
   set switch-addr = binary-to-ascii(10, 8, ".", packet(24, 4));
   set switch-port = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 5, 1));
   set switch-port-vlan = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2));
   log(info, concat("Lease from:    ", binary-to-ascii(10, 8, ".", leased-address), " via IP: ", switch-addr, " (MAC: ", switc
   log(info, "--------------------------------------------------------------------------");

}

#shared-network fxp0 { include "/usr/local/etc/ng4.conf"; }
include "/usr/local/etc/dhcp/test.conf";

 

test.conf

class "test-sw01-p01" {
               match if
                   binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
                   and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "1";
}

class "test-sw01-p02" {
               match if
                   binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
                   and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "2";
}

class "office-sw01-p03" {
               match if
                   binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
                   and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "3";
}

class "test-sw01-p04" {
               match if
                   binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
                   and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "4";
}

class "test-sw01-p05" {
               match if
                   binary-to-ascii(16, 8, ":", suffix(option agent.remote-id, 6)) = "f8:f0:82:10:60:7a"
                   and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "5";
}

subnet 172.16.14.0 netmask 255.255.255.0 {
       dynamic-bootp-lease-length 180;
       max-lease-time 2400;
       default-lease-time 2400;
       option routers 172.16.14.1;
       option domain-name-servers 172.16.0.2, 172.16.1.2;
       option subnet-mask 255.255.255.0;
       pool { range 172.16.14.2; allow members of "office-sw01-p01"; }
       pool { range 172.16.14.6; allow members of "office-sw01-p02"; }
       pool { range 172.16.14.10; allow members of "office-sw01-p03"; }
       pool { range 172.16.14.14; allow members of "office-sw01-p04"; }
       pool { range 172.16.14.18; allow members of "office-sw01-p05"; }
}

 

L3(Summit x460-24T)

#
# Module ipSecurity configuration.
#
configure trusted-servers vlan vlan80 add server 10.10.0.2 trust-for dhcp-server

#
# Module netTools configuration.
#
configure bootprelay add 10.10.0.2 vr VR-Default
configure bootprelay dhcp-agent information policy keep vr VR-Default
enable bootprelay vlan Default
enable bootprelay vlan vlan515 (Vlan управления для 2-го L3 коммутатора)

 

L3(SNR-S3750G-24S-E)

service dhcp
ip forward-protocol udp bootps
ip dhcp snooping enable
ip dhcp snooping information option subscriber-id format hex

vlan 4
name supervlan
supervlan
subvlan 3374-3378

Interface Ethernet1/0/11 (порт подключения L2 коммутатора)
switchport mode hybrid
switchport hybrid allowed vlan 3374-3378 tag
switchport hybrid allowed vlan 1 untag
ip dhcp snooping trust

Interface Ethernet1/0/25 ( порт подключения к L3(Summit x460-24T))
description Uplink
switchport mode hybrid
switchport hybrid allowed vlan 1 untag
ip dhcp snooping trust

interface Vlan4
ip address 172.16.14.1 255.255.255.0
 !forward protocol udp 67(active)!
ip helper-address 10.10.0.2

 

L2(SNR-S2960-24G)

service dhcp
ip dhcp snooping enable
ip dhcp snooping binding enable
ip dhcp snooping information enable
ip dhcp snooping information option subscriber-id format hex

firewall enable
ip access-list extended drop
 deny tcp any-source s-port 135 any-destination
 deny tcp any-source s-port 139 any-destination
 deny tcp any-source s-port 445 any-destination
 deny udp any-source s-port 1900 any-destination
 permit tcp any-source any-destination
 permit udp any-source any-destination
 permit icmp any-source any-destination
 deny tcp any-source s-port 137 any-destination
 deny tcp any-source s-port 138 any-destination
 deny tcp any-source s-port 2869 any-destination
 deny udp any-source s-port 135 any-destination
 deny udp any-source s-port 137 any-destination
 deny udp any-source s-port 138 any-destination
 deny udp any-source s-port 139 any-destination
 deny udp any-source s-port 445 any-destination
 deny udp any-source s-port 2869 any-destination
 exit

Interface Ethernet1/1
switchport access vlan 3374
ip access-group drop in
am port
am ip-pool 172.16.14.2 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/2
switchport access vlan 3375
ip access-group drop in
am port
am ip-pool 172.16.14.6 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/3
switchport access vlan 3376
ip access-group drop in
am port
am ip-pool 172.16.14.10 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/4
switchport access vlan 3377
ip access-group drop in
am port
am ip-pool 172.16.14.14 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/5
switchport access vlan 3378
ip access-group drop in
am port
am ip-pool 172.16.14.18 1
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1

Interface Ethernet1/28 (порт подключения к L3(SNR-S3750G-24S-E))
switchport mode hybrid
switchport hybrid allowed vlan 3374-3378 tag
switchport hybrid allowed vlan 1 untag
ip dhcp snooping trust

 

DUMP при подключении к порту на котором уже не получаем ip-address.

14:18:04.355508 IP 172.16.14.1.bootps > dhcp.meoz.bootps: BOOTP/DHCP, Request from 00:14:22:c0:51:dd (oui Unknown), length 315
14:18:04.371498 IP dhcp.meoz.bootps > 172.16.14.1.bootps: BOOTP/DHCP, Reply, length 324
14:18:04.452698 IP dhcp.meoz.61789 > host.ru.domain: 41807+ PTR? 1.14.16.172.in-addr.arpa. (42)
14:18:04.472622 IP host.ru.domain > dhcp.meoz.61789: 41807 NXDomain 0/0/0 (42)

 

Такая же ситуация (на одном порту получаем ip, на остальных нет), если мы поднимаем SubVlan на L3(Summit x460-24T) и подключаем к нему L2 коммутатор.

 

Помогите разобраться.

За ранее спасибо.