ip dhcp窥探杀死DHCP端口
ip dhcp窥探杀死DHCP端口
提问于 2021-03-03 13:17:19
我正在努力实现DHCP,窥探我的交换机,并发现当我这样做时,它会扼杀DHCP与客户端的连接。该网络是这样的:
目前,具有DNS的服务器正在向系统上的5 (20、30、40、50、60和70) VLAN中的2 (60 & 70)提供DHCP。服务器插入交换机A与以太网电缆与VLAN分离,以支持各种网络。
开关A没有启用ip dhcp snooping。交换机A通过光纤连接到交换机B中继所有5个VLAN。
开关B,我开始这个配置,我将启用ip dhcp snooping,因为它是向下的,并将造成最小的影响。
客户端是VLAN 70上的域连接机器,具有有效的DHCP租约和地址。客户端用以太网电缆插入交换机B。
当启用DHCP窥探交换机B时,插入交换机B的客户端将松开其IP地址,DHCP将不会发出该地址。
开关不提供任何DHCP窥探、拒绝错误或关于客户端插入的端口的任何信息,除非端口被打开或关闭,电缆被拔出。
客户端是否因为交换机A上没有启用ip dhcp snooping而丢失了其地址或对DHCP的访问,并且ip arp inspection没有将DHCP服务器插入交换机A的端口设置为受信任?如果不是,为什么客户没有得到DHCP地址?
更新1:启用DHCP插入的交换机A端口上的信任。在DHCP上运行命令ip dhcp snooping vlan 30。在我切换B之前,端口停止了开关A的工作。Config如下所示:
!
! Last configuration change at 19:07:51 UTC Tue Mar 9 2021
! NVRAM config last updated at 19:07:55 UTC Tue Mar 9 2021
!
version 16.12
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname SWITCH
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 4096 informational
logging console notifications
enable secret 9 ###############
enable password 7 #################
!
aaa new-model
!
!
aaa group server radius INSTRU-NET
server-private 192.168.0.1 auth-port 1812 acct-port 1813 key 7 ###########################
server-private 192.168.0.2 auth-port 1812 acct-port 1813 key 7 ###########################
!
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authentication webauth default group radius local
aaa authorization console
aaa authorization exec default group RADIUS local if-authenticated
!
!
!
!
!
!
aaa session-id common
boot system switch all flash:packages.conf
clock timezone UTC -4 0
clock calendar-valid
switch 1 provision c9300-24t
!
!
!
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip name-server 192.168.0.1 192.168.0.2
ip name-server vrf Mgmt-vrf 192.168.0.1
ip domain name DOMAIN.COM
!
ip dhcp pool PRODUCTION
network 162.168.5.0 255.255.254.0
!
!
!
ip dhcp snooping
login on-failure log
login on-success log
!
!
!
!
!
no device-tracking logging theft
!
crypto pki trustpoint TP-self-signed-1367883796
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1367883796
revocation-check none
rsakeypair TP-self-signed-1367883796
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1367883796
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
crypto pki certificate chain SLA-TrustPoint
certificate ca 01 nvram:CiscoLicensi#1CA.cer
!
license boot level network-essentials addon dna-essentials
license smart reservation
!
!
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
memory free low-watermark processor 134335
!
username Netadmin privilege 15 password 7 ################
!
redundancy
mode sso
!
!
!
!
!
transceiver type all
monitoring
!
!
class-map match-any system-cpp-police-ewlc-control
description EWLC Control
class-map match-any system-cpp-police-topology-control
description Topology control
class-map match-any system-cpp-police-sw-forward
description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic
class-map match-any system-cpp-default
description EWLC Data, Inter FED Traffic
class-map match-any system-cpp-police-sys-data
description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed
class-map match-any system-cpp-police-punt-webauth
description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
description L2 LVX control packets
class-map match-any system-cpp-police-forus
description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
description MCAST END STATION
class-map match-any system-cpp-police-high-rate-app
description High Rate Applications
class-map match-any system-cpp-police-multicast
description MCAST Data
class-map match-any system-cpp-police-l2-control
description L2 control
class-map match-any system-cpp-police-dot1x-auth
description DOT1X Auth
class-map match-any system-cpp-police-data
description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
description Stackwise Virtual OOB
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
description DHCP snooping
class-map match-any system-cpp-police-ios-routing
description L2 control, Topology control, Routing control, Low Latency
class-map match-any system-cpp-police-system-critical
description System Critical and Gold Pkt
class-map match-any system-cpp-police-ios-feature
description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed
!
policy-map system-cpp-policy
policy-map QOS_POLICY_SWITCHPORT
class class-default
bandwidth percent 25
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet1/0/1
switchport access vlan 20
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/2
switchport access vlan 3
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/3
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 200
ip dhcp snooping trust
!
interface GigabitEthernet1/0/4
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
ip dhcp snooping limit rate 20
ip dhcp snooping trust
!
interface GigabitEthernet1/0/5
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/6
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/7
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/8
description Disabled
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/9
description Disabled
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/10
description Disabled
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/11
description Disabled
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/12
description Disabled
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/13
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/14
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/15
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/16
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/17
switchport access vlan 3
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/18
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/19
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/20
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/21
switchport access vlan 30
switchport mode access
switchport block unicast
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/22
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/23
description Disabled
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/0/24
description Disabled
switchport access vlan 100
switchport mode access
switchport block unicast
shutdown
storm-control broadcast level bps 20m
storm-control unicast level bps 62m
spanning-tree bpduguard enable
ip verify source
!
interface GigabitEthernet1/1/1
description Disabled
switchport access vlan 100
switchport trunk native vlan 100
switchport mode access
shutdown
!
interface GigabitEthernet1/1/2
description Disabled
switchport access vlan 100
switchport mode access
shutdown
!
interface GigabitEthernet1/1/3
description Disabled
switchport access vlan 100
switchport mode access
shutdown
!
interface GigabitEthernet1/1/4
description Disabled
switchport access vlan 100
switchport mode access
shutdown
!
interface TenGigabitEthernet1/1/1
switchport trunk native vlan 11
switchport trunk allowed vlan 20-70
switchport mode trunk
switchport nonegotiate
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/2
switchport trunk native vlan 110
switchport trunk allowed vlan 20,30,60,70
switchport mode trunk
switchport nonegotiate
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/3
switchport trunk native vlan 110
switchport trunk allowed vlan 20-40
switchport mode trunk
switchport nonegotiate
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/4
description Disabled
switchport access vlan 100
switchport mode access
switchport nonegotiate
shutdown
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/5
description Disabled
switchport access vlan 100
switchport mode access
switchport nonegotiate
shutdown
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/6
description Disabled
switchport access vlan 100
switchport mode access
switchport nonegotiate
shutdown
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/7
description Disabled
switchport access vlan 100
switchport mode access
switchport nonegotiate
shutdown
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface TenGigabitEthernet1/1/8
description Disabled
switchport access vlan 100
switchport mode access
switchport nonegotiate
shutdown
udld port aggressive
service-policy output QOS_POLICY_SWITCHPORT
!
interface FortyGigabitEthernet1/1/1
description Disabled
switchport access vlan 100
switchport mode access
shutdown
!
interface FortyGigabitEthernet1/1/2
description Disabled
switchport access vlan 100
switchport mode access
shutdown
!
interface TwentyFiveGigE1/1/1
description Disabled
switchport access vlan 100
switchport mode access
shutdown
!
interface TwentyFiveGigE1/1/2
description Disabled
switchport access vlan 100
switchport mode access
shutdown
!
interface AppGigabitEthernet1/0/1
!
interface Vlan1
no ip address
shutdown
!
interface Vlan20
ip address 192.168.0.50 255.255.255.0
!
interface Vlan30
no ip address
!
interface Vlan40
no ip address
!
interface Vlan50
no ip address
!
interface Vlan60
no ip address
!
interface Vlan70
no ip address
!
interface Vlan100
no ip address
!
interface Vlan110
no ip address
!
ip forward-protocol nd
no ip http server
ip http authentication aaa login-authentication default
ip http secure-server
ip tftp source-interface Vlan2
ip ssh time-out 60
ip ssh version 2
ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-cbc aes192-cbc aes256-cbc
ip scp server enable
!
!
logging trap debugging
logging host 1.1.1.1
logging host 192.168.0.1
ip access-list standard 3
50 permit 192.168.0.1 log
10 permit 192.168.0.2 log
40 permit 192.168.0.100 log
20 permit 192.168.0.101 log
30 permit 192.168.0.102 log
60 deny any log
!
!
!
radius server SERVER01
address ipv4 192.168.0.1 auth-port 1645 acct-port 1646
key 7 ###############################
!
radius server SERVER01
address ipv4 192.168.0.2 auth-port 1645 acct-port 1646
key 7 ###############################
!
!
control-plane
service-policy input system-cpp-policy
!
!
line con 0
stopbits 1
line vty 0 4
access-class 3 in
password 7 #######################
length 0
transport input ssh
line vty 5 15
password 7 #######################
transport input ssh
!
ntp authentication-key 1 md5 ############################ 7
ntp authenticate
ntp server 192.168.0.10 prefer
!
!
!
!
!
!
end回答 2
Network Engineering用户
回答已采纳
发布于 2021-03-03 13:42:00
如果只启用DHCP,则开关开始监视和筛选(!)DHCP流量
如果您也不为面向服务器的端口(或服务器IP地址,取决于确切的开关模型)设置信任,则DHCP将停止工作。
您需要信任中继以切换A以重新启用DHCP。
Network Engineering用户
发布于 2021-03-10 16:32:26
对于Windows PC和Windows DHCP服务器,需要包括以下全局命令:
no ip dhcp snooping information option
no ip dhcp snooping verify mac-address
no ip dhcp snooping verify no-relay-agent-address页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/72820
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号