Форум программистов, компьютерный форум, киберфорум
Наши страницы
Сетевое оборудование
Войти
Регистрация
Восстановить пароль
 
MrFreeze007
0 / 0 / 0
Регистрация: 24.01.2017
Сообщений: 5
1

Windows DHCP+DHCP Snooping

25.10.2017, 16:31. Просмотров 340. Ответов 0

Добрый день!
Есть схема сети с vlan10, vlan40, vlan41:
vlan10 - управляющая, vlan40 - серверы, vlan41 - ПК

Коммутатор Cisco 4500X маршрутизирует эти подсети.
Адреса интерфейсов на нем: vlan10 - 10.10.10.254/24, vlan40 - 40.40.40.126/25, vlan41 - 41.41.41.254/24

На коммутаторах Cisco SG500X и HP 3500yl созданы соответствующие vlan. Адреса интерфейсов управляющего vlan: SG500X - 10.10.10.2/24, HP 3500yl - 10.10.10.3/24. Default gateway у них указан 10.10.10.254/24 (интерфейс vlan10 cisco 4500X).

на Windows 2012 поднят DHCP с двумя зонами: 40.40.40.0/25 GW: 40.40.40.126 (интерфейс vlan40 Cisco 4500X) и 41.41.41.0/24 GW:41.41.41.254 (интерфейс vlan41 Cisco 4500X).
Сервер находится в vlan40 с адресом: 40.40.40.1

На HP 3500yl и Cisco SG500X включен dhcp snooping. Клиенты получают адреса с dhcp согласно в каком vlan.

Однако, если указать на HP 3500yl
dhcp-snooping authorized-server 40.40.40.1

то клиенты на HP 3500yl перестают получать адреса.
В логах указан причина:
User.Warning,10.10.10.3,00855 dhcp-snoop: backplane: Ceasing unauthorized server
User.Warning,10.10.10.3,00854 dhcp-snoop: backplane: Unauthorized server 41.41.41.254 detected on port Trk1 (порт с2 на схеме).

В ЧЕМ ОШИБКА? ЧТО ДЕЛАЮ НЕ ТАК?

=======================================
Конфиги коммутаторов прилагаю:

ABK_4500X

no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
!
boot-start-marker
boot system flash bootflash:cat4500e-universalk9.SPA.03.06.06.E.152-2.E6.bin
boot-end-marker
!
vrf definition mgmtVrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no ip source-route
ip arp inspection vlan 10,40,41
!
no ip domain-lookup
!
ip dhcp snooping vlan 40,41
no ip dhcp snooping information option
ip dhcp snooping
vtp mode transparent
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no spanning-tree vlan 40,41
!
vlan internal allocation policy ascending
!
vlan 10
name Management
!
vlan 40
name Servers
!
vlan 41
name Computers
!
ip tcp selective-ack
ip tcp timestamp
ip tcp path-mtu-discovery
!
interface Port-channel1 (порт b2 на схеме)
description = Trunk to HP3500yl =
switchport
switchport trunk allowed vlan 10,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
ip dhcp snooping trust
!
interface Port-channel3 (порт b1 на схеме)
description = Trunk to Cisco SG500X =
switchport
switchport trunk native vlan 10
switchport trunk allowed vlan 10,40,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
ip dhcp snooping trust
!
interface TenGigabitEthernet1/7
description = to Cisco SG500X=
switchport trunk native vlan 10
switchport trunk allowed vlan 10,40,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
channel-group 3 mode on
ip dhcp snooping trust
!
interface TenGigabitEthernet1/8
description = to Cisco SG500X=
switchport trunk native vlan 10
switchport trunk allowed vlan 10,40,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
channel-group 3 mode on
ip dhcp snooping trust
!
interface TenGigabitEthernet1/9
description = to Cisco SG500X=
switchport trunk native vlan 10
switchport trunk allowed vlan 10,40,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
channel-group 3 mode on
ip dhcp snooping trust
!
interface TenGigabitEthernet1/10
description = to Cisco SG500X=
switchport trunk native vlan 10
switchport trunk allowed vlan 10,40,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
channel-group 3 mode on
ip dhcp snooping trust
!
interface TenGigabitEthernet1/15
description = to HP3500YL=
switchport trunk allowed vlan 10,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
channel-group 1 mode on
ip dhcp snooping trust
!
interface TenGigabitEthernet1/16
description = to HP3500YL=
switchport trunk allowed vlan 10,41
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
channel-group 1 mode on
ip dhcp snooping trust
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.10.10.254 255.255.255.0
!
interface Vlan40
description Gateway Servers
ip address 40.40.40.126 255.255.255.128
!
interface Vlan41
description Gateway Computers_ABK
ip dhcp relay information trusted
ip address 41.41.41.254 255.255.255.0
ip helper-address 40.40.40.1
!
ip forward-protocol nd
no ip forward-protocol udp
no ip forward-protocol udp tftp
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.20.20.2
!
end

========================================
HP3500yl

; J8693A Configuration Editor; Created on release #K.16.02.0021
no cdp enable 1-46
dhcp-snooping
dhcp-snooping authorized-server 40.40.40.1
no dhcp-snooping option 82
dhcp-snooping vlan 10 40 41
fault-finder broadcast-storm sensitivity high
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
trunk 47-48 trk1 trunk
port-security 1 learn-mode static
no stack
no web-management
web-management ssl
ip default-gateway 10.10.10.254
interface 1
broadcast-limit 5
flow-control
no power-over-ethernet
no energy-efficient-ethernet
exit
interface 47
broadcast-limit 10
flow-control
name "to_CISCO_4500X"
no power-over-ethernet
no energy-efficient-ethernet
exit
interface 48
broadcast-limit 10
flow-control
name "to_CISCO_4500X "
no power-over-ethernet
no energy-efficient-ethernet
exit
interface Trk1
dhcp-snooping trust
exit
lldp admin-status 1-46 disable
vlan 1
name "DEFAULT_VLAN"
no untagged 1-46,Trk1
no ip address
exit
vlan 10
name "Manage"
tagged Trk1
ip address 10.10.10.254 255.255.255.0
ip helper-address 40.40.40.1
exit
vlan 41
name "Computers"
untagged 1
tagged Trk1
no ip address
ip helper-address 40.40.40.1
exit
primary-vlan 10
management-vlan 10
spanning-tree 1 bpdu-filter bpdu-protection
spanning-tree Trk1 priority 4 bpdu-protection
no tftp server
loop-protect 1-46
loop-protect trap loop-detected
loop-protect disable-timer 60
no autorun
no dhcp config-file-update
no dhcp image-file-update
=================================
SG500X

config-file-header
v1.4.8.6 / R800_NIK_1_4_202_008
set system queues-mode 4
no spanning-tree
spanning-tree loopback-guard
spanning-tree bpdu filtering
port jumbo-frame
vlan database
default-vlan vlan 10
exit
vlan database
vlan 1,40,41
exit
voice vlan state disabled
port-channel load-balance src-dst-mac-ip
loopback-detection enable
errdisable recovery cause loopback-detection
errdisable recovery cause port-security
errdisable recovery cause acl-deny
errdisable recovery cause stp-bpdu-guard
errdisable recovery cause stp-loopback-guard
errdisable recovery cause udld
no eee enable
no boot host auto-config
no boot host auto-update
no bonjour enable
qos wrr-queue wrtd
no passwords complexity enable
no ip http server
no ip domain lookup
no service cpu-utilization
security-suite enable
security-suite dos protect add stacheldraht
security-suite dos protect add invasor-trojan
security-suite dos protect add back-orifice-trojan
security-suite deny martian-addresses reserved add
!
interface vlan 1
no ip address dhcp
shutdown
!
interface vlan 10
name Management
ip address 10.10.10.2 255.255.255.0
!
interface vlan 40
name Servers
!
interface vlan 41
name Computers
!
interface gigabitethernet1/1
no eee enable
flowcontrol auto
loopback-detection enable
description =to_DHCP=
ip arp inspection trust
ip dhcp snooping trust
gvrp vlan-creation-forbid
gvrp registration-forbid
storm-control broadcast enable
storm-control broadcast level 5
storm-control include-multicast unknown-unicast
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 2 mode on
switchport mode access
no lldp transmit
no lldp receive
lldp optional-tlv sys-name sys-desc sys-cap
lldp optional-tlv 802.1 pvid disable
lldp med disable
no eee lldp enable
no green-ethernet energy-detect
no cdp enable
!
interface gigabitethernet1/2
no eee enable
flowcontrol auto
loopback-detection enable
description =to_DHCP=
ip arp inspection trust
ip dhcp snooping trust
gvrp vlan-creation-forbid
gvrp registration-forbid
storm-control broadcast enable
storm-control broadcast level 5
storm-control include-multicast unknown-unicast
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 2 mode on
switchport mode access
no lldp transmit
no lldp receive
lldp optional-tlv sys-name sys-desc sys-cap
lldp optional-tlv 802.1 pvid disable
lldp med disable
no eee lldp enable
no green-ethernet energy-detect
no cdp enable
!
interface gigabitethernet1/3 (порт a3 на схеме)
no eee enable
flowcontrol auto
loopback-detection enable
description =to_PC=
ip source-guard
gvrp vlan-creation-forbid
gvrp registration-forbid
storm-control broadcast enable
storm-control broadcast level 5
storm-control include-multicast unknown-unicast
port security max 2
port security mode secure permanent
spanning-tree disable
spanning-tree portfast
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 41
no lldp transmit
no lldp receive
lldp optional-tlv sys-name sys-desc sys-cap
lldp optional-tlv 802.1 pvid disable
lldp med disable
no eee lldp enable
no green-ethernet energy-detect
no cdp enable
!
interface tengigabitethernet1/1
flowcontrol on
negotiation
description =to_Cisco_4500X=
ip arp inspection trust
ip dhcp snooping trust
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast unknown-unicast
channel-group 1 mode on
lldp optional-tlv port-desc sys-name sys-cap 802.3-mac-phy 802.3-lag
lldp med enable network-policy location inventory
lldp management-address automatic
!
interface tengigabitethernet1/2
flowcontrol on
negotiation
description =to_Cisco_4500X=
ip arp inspection trust
ip dhcp snooping trust
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast unknown-unicast
channel-group 1 mode on
lldp optional-tlv port-desc sys-name sys-cap 802.3-mac-phy 802.3-lag
lldp med enable network-policy location inventory
lldp management-address automatic
!
interface tengigabitethernet1/3
flowcontrol on
negotiation
description =to_Cisco_4500X=
ip arp inspection trust
ip dhcp snooping trust
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast unknown-unicast
channel-group 1 mode on
lldp optional-tlv port-desc sys-name sys-cap 802.3-mac-phy 802.3-lag
lldp med enable network-policy location inventory
lldp management-address automatic
!
interface tengigabitethernet1/4
flowcontrol on
negotiation
description =to_Cisco_4500X=
ip arp inspection trust
ip dhcp snooping trust
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast unknown-unicast
channel-group 1 mode on
lldp optional-tlv port-desc sys-name sys-cap 802.3-mac-phy 802.3-lag
lldp med enable network-policy location inventory
lldp management-address automatic
!
interface Port-channel1 (порт а2 на схеме)
flowcontrol on
description =Trunk_to_Cisco_4500X=
ip arp inspection trust
ip dhcp snooping trust
spanning-tree guard root
spanning-tree bpduguard enable
switchport trunk allowed vlan add 40,41
!
interface Port-channel2 (порт а1 на схеме)
flowcontrol auto
description =Trunk_to_ABK2003=
ip arp inspection trust
ip dhcp snooping trust
spanning-tree portfast
switchport mode access
switchport access vlan 40
!
exit
macro auto disabled
ip dhcp snooping
ip dhcp snooping database
ip dhcp snooping vlan 40
ip dhcp snooping vlan 41
ip arp inspection
ip arp inspection validate
ip arp inspection vlan 1
ip arp inspection vlan 40
ip arp inspection vlan 41
ip source-guard
ip default-gateway 10.10.10.254
exit
0
Изображения
 
Similar
Эксперт
41792 / 34177 / 6122
Регистрация: 12.04.2006
Сообщений: 57,940
25.10.2017, 16:31
Ответы с готовыми решениями:

DIR-615 (2.5.5) по DHCP пускает в интернет. Без DHCP - не пускает. Как так?
Настраиваю на роутере (допустим 10.100.100.1) DHCP. Получаю IP, браузер, выхожу в интернет...

DHCP
С помощью консоли DHCP создать область IP - адрес для разделения между компьютерами локальной...

Настройка DHCP
Всем привет! Необходимо отключить DHCP и настроить в ручную. Только вот проблема: устанавливаются...

Роутер с поддержкой DHCP
Суть такова, нужно менять план инетов. На данный момент у меня стоит asus wl600g-всё няшно, но за...

Отключить DHCP в подсети
Добрый день всем! Есть роутер Cisco RV180 и 2 свича HP. Нужно на одном из свичей отключить...

0
MoreAnswers
Эксперт
37091 / 29110 / 5898
Регистрация: 17.06.2006
Сообщений: 43,301
25.10.2017, 16:31

Настройка DHCP на TD-W8961nb
Проблема следующая: в сети есть сервер и его IP 192.168.10.***, стандартный IP модема 192.168.1.1,...

DHCP расширить пул
Народ добрый вечер. Подскажите, ситуация такая. Есть 3 здания, в каждом стоит по Микротику. Они...

DHCP relay на HP 1910
Добрый день, вопрос следующий: пользователи подключены к коммутатору HP 1910, к нему же идет шлюз и...


Искать еще темы с ответами

Или воспользуйтесь поиском по форуму:
1
Ответ Создать тему
Опции темы

КиберФорум - форум программистов, компьютерный форум, программирование
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Рейтинг@Mail.ru