ip dhcp snooping 杀死 DHCP 端口

网络工程 思科 ARP dhcp 监听
2022-03-05 04:16:34

我正在努力在我的交换机上实现 DHCP Snooping,并发现当我这样做时,它会终止与客户端的 DHCP 连接。网络是这样的:

在此处输入图像描述

目前,具有 DNS 的服务器正在为系统上的 5 个(20、30、40、50、60 和 70)个 VLAN 中的 2 个(60 和 70 个)提供 DHCP。服务器通过带有 VLAN 分离的以太网电缆插入交换机 A,以支持各种网络。

开关 A启用ip dhcp snoopingSwitch A 通过光纤连接到 Switch B 中继所有 5 个 VLAN。

我开始使用此配置的交换机 B,我将启用ip dhcp snooping它,因为它位于下游并且会造成最小的影响。

客户端是 VLAN 70 上加入域的计算机,并且具有有效的 DHCP 租约和地址。客户端通过以太网电缆插入交换机 B。

在交换机 B 上启用 DHCP Snooping 后,插入交换机 B 的客户端会丢失其 IP 地址,DHCP 不会发出它。

交换机不会给出任何 DHCP Snooping 拒绝错误或客户端插入的端口上的任何信息,除了打开或关闭的端口和拔下的电缆。

ip dhcp snooping客户端是否因为未在交换机 A 上启用以及 DHCP 服务器插入交换机 A 的端口未设置为信任而丢失其地址或对 DHCP 的访问ip arp inspection如果不是,为什么客户端没有获得 DHCP 地址?

更新 1:在插入 DHCP 的交换机 A 的端口上启用信任。ip dhcp snooping vlan 30在 DHCP VLAN 上运行命令。就在我到达交换机 B 之前,交换机 A 上的端口停止工作。配置如下:

!
! Last configuration change at 19:07:51 UTC Tue Mar 9 2021
! NVRAM config last updated at 19:07:55 UTC Tue Mar 9 2021
!
version 16.12
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname SWITCH
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered 4096 informational
logging console notifications
enable secret 9 ###############
enable password 7 #################
!
aaa new-model
!
!
aaa group server radius INSTRU-NET
 server-private 192.168.0.1 auth-port 1812 acct-port 1813 key 7 ###########################
 server-private 192.168.0.2 auth-port 1812 acct-port 1813 key 7 ###########################
!
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authentication webauth default group radius local
aaa authorization console
aaa authorization exec default group RADIUS local if-authenticated 
!
!
!
!
!
!
aaa session-id common
boot system switch all flash:packages.conf
clock timezone UTC -4 0
clock calendar-valid
switch 1 provision c9300-24t
!
!
!
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
  no destination transport-method email
!
ip name-server 192.168.0.1 192.168.0.2
ip name-server vrf Mgmt-vrf 192.168.0.1
ip domain name DOMAIN.COM
!
ip dhcp pool PRODUCTION
 network 162.168.5.0 255.255.254.0
!
!
!
ip dhcp snooping
login on-failure log
login on-success log
!
!
!
!
!
no device-tracking logging theft
!
crypto pki trustpoint TP-self-signed-1367883796
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1367883796
 revocation-check none
 rsakeypair TP-self-signed-1367883796
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1367883796
 certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01 nvram:CiscoLicensi#1CA.cer
!
license boot level network-essentials addon dna-essentials
license smart reservation
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
memory free low-watermark processor 134335
!
username Netadmin privilege 15 password 7 ################
!
redundancy
 mode sso
!
!
!
!
!
transceiver type all
 monitoring
!
!
class-map match-any system-cpp-police-ewlc-control
  description EWLC Control 
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
  description EWLC Data, Inter FED Traffic 
class-map match-any system-cpp-police-sys-data
  description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
  description High Rate Applications 
class-map match-any system-cpp-police-multicast
  description MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-ios-routing
  description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
  description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
policy-map QOS_POLICY_SWITCHPORT
 class class-default
  bandwidth percent 25 
!
! 
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet1/0/1
 switchport access vlan 20
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/2
 switchport access vlan 3
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/3
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
 ip dhcp snooping limit rate 200
 ip dhcp snooping trust
!
interface GigabitEthernet1/0/4
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
 ip dhcp snooping limit rate 20
 ip dhcp snooping trust
!
interface GigabitEthernet1/0/5
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/6
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/7
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/8
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/9
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/10
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/11
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/12
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/13
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/14
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/15
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/16
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/17
 switchport access vlan 3
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/18
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/19
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/20
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/21
 switchport access vlan 30
 switchport mode access
 switchport block unicast
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/22
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/23
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/0/24
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport block unicast
 shutdown
 storm-control broadcast level bps 20m
 storm-control unicast level bps 62m
 spanning-tree bpduguard enable
 ip verify source
!
interface GigabitEthernet1/1/1
 description Disabled
 switchport access vlan 100
 switchport trunk native vlan 100
 switchport mode access
 shutdown
!
interface GigabitEthernet1/1/2
 description Disabled
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface GigabitEthernet1/1/3
 description Disabled
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface GigabitEthernet1/1/4
 description Disabled
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface TenGigabitEthernet1/1/1
 switchport trunk native vlan 11
 switchport trunk allowed vlan 20-70
 switchport mode trunk
 switchport nonegotiate
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/2
 switchport trunk native vlan 110
 switchport trunk allowed vlan 20,30,60,70
 switchport mode trunk
 switchport nonegotiate
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/3
 switchport trunk native vlan 110
 switchport trunk allowed vlan 20-40
 switchport mode trunk
 switchport nonegotiate
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/4
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 shutdown
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/5
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 shutdown
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/6
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 shutdown
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/7
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 shutdown
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/8
 description Disabled
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 shutdown
 udld port aggressive
 service-policy output QOS_POLICY_SWITCHPORT
!
interface FortyGigabitEthernet1/1/1
 description Disabled
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface FortyGigabitEthernet1/1/2
 description Disabled
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface TwentyFiveGigE1/1/1
 description Disabled
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface TwentyFiveGigE1/1/2
 description Disabled
 switchport access vlan 100
 switchport mode access
 shutdown
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan20
 ip address 192.168.0.50 255.255.255.0
!
interface Vlan30
 no ip address
!
interface Vlan40
 no ip address
!
interface Vlan50
 no ip address
!
interface Vlan60
 no ip address
!
interface Vlan70
 no ip address
!
interface Vlan100
 no ip address
!
interface Vlan110
 no ip address
!
ip forward-protocol nd
no ip http server
ip http authentication aaa login-authentication default
ip http secure-server
ip tftp source-interface Vlan2
ip ssh time-out 60
ip ssh version 2
ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes256-cbc
ip scp server enable
!
!
logging trap debugging
logging host 1.1.1.1
logging host 192.168.0.1
ip access-list standard 3
 50 permit 192.168.0.1 log
 10 permit 192.168.0.2 log
 40 permit 192.168.0.100 log
 20 permit 192.168.0.101 log
 30 permit 192.168.0.102 log
 60 deny   any log
!
!
!
radius server SERVER01
 address ipv4 192.168.0.1 auth-port 1645 acct-port 1646
 key 7 ###############################
!
radius server SERVER01
 address ipv4 192.168.0.2 auth-port 1645 acct-port 1646
 key 7 ###############################
!
!
control-plane
 service-policy input system-cpp-policy
!
!
line con 0
 stopbits 1
line vty 0 4
 access-class 3 in
 password 7 #######################
 length 0
 transport input ssh
line vty 5 15
 password 7 #######################
 transport input ssh
!
ntp authentication-key 1 md5 ############################ 7
ntp authenticate
ntp server 192.168.0.10 prefer
!
!
!
!
!
!
end
2个回答

如果您只启用 DHCP 侦听,交换机就会开始监控和过滤(!)DHCP 流量。

如果您还没有为面向服务器的端口(或服务器 IP 地址,具体取决于确切的交换机型号)设置信任,DHCP 将停止工作。

您需要信任中继交换机 A 才能重新启用 DHCP。

对于 Windows PC 和 Windows DHCP 服务器,您需要包含以下全局命令:

no ip dhcp snooping information option
no ip dhcp snooping verify mac-address
no ip dhcp snooping verify no-relay-agent-address
其它你可能感兴趣的问题
上一篇为什么单向链路故障会导致交换环路? 下一篇当 Cisco 路由器的地址在该范围内时,为什么它会用 NDP RA 通告前缀?