取消
显示结果 
搜索替代 
您的意思是: 
cancel
2910
查看次数
0
有帮助
0
评论
碧云天
Spotlight
Spotlight
本帖最后由 碧云天 于 2020-4-16 23:27 编辑
一.概述
默认情况下,DHCP客户端发出DHCP Discover包的时候,里面不带82选项,需要交换机开启DHCP snooping才会自动插入该选项。如果交换机开启DHCP snooping,插入的82选项里面包含接收DHCP Discover包初始交换机接口的信息,DHCP服务器经过配置后,能根据82选项的信息,为接入这个接口的设备分配指定的IP地址。下面为思科路由器作为DHCP服务器,根据DHCP 82选项来为接入交换机指定接口的设备分配固定IP地址的配置测试。如果DHCP服务器为Linux设备,可以参考如下链接配置:https://www.jianshu.com/p/e02e4da6922f
测试拓扑:
231938s5viyrojrv6v263p.png
需求:
1.接SW1的E0/1接口设备获取的P地址为192.168.10.18
2.接SW1的E0/3接口设备获取的P地址为192.168.20.18
测试总结:
1.DHCP snooping会导致DHCP中继出现问题
---连接交换机自身的设备DHCP中继能正常,出现问题的是通过trunk过来的需要进行DHCP中继,上图如果SW2配置中继能正常工作。
2.DHCP地址池如果配置class但没配置通配的话,会导致接入没有被class匹配的交换机接口的设备无法获取IP地址。
二.基本配置
1.DHCPserver

hostname DHCPserver
interface Ethernet0/0
ip address 192.168.10.8 255.255.255.0
no shutdown
ip dhcp excluded-address 192.168.10.8
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.20.254
ip dhcp pool vlan10Pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool vlan20Pool
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
ip route 0.0.0.0 0.0.0.0 192.168.10.254
备注:必须配置默认路由,不然虽然接收到DHCP中继传递过来的请求,不会回复。
2.SW1
hostname SW1
vlan 10
vlan 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
interface range Ethernet0/1-2
switchport mode access
switchport access vlan 10
interface range Ethernet0/3
switchport mode access
switchport access vlan 20
interface Vlan10
ip address 192.168.10.254 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.254 255.255.255.0
no shutdown
ip helper-address 192.168.10.8
3.SW2
hostname SW2
vlan 10
vlan 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
interface range Ethernet0/1
switchport mode access
switchport access vlan 10
interface range Ethernet0/2
switchport mode access
switchport access vlan 20
4.验证DHCP和DHCP中继能正常工作
①Client1能正常获取IP地址

Client1(config)#int e0/0
Client1(config-if)#ip address dhcp
Client1(config-if)#no shutdown
Client1(config-if)#
*Apr 16 06:26:49.838: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 16 06:26:50.845: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Client1(config-if)#
*Apr 16 06:29:16.314: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.10.1, mask 255.255.255.0, hostname Client1
Client1(config-if)#
②Client2能正常获取IP地址
Client2(config)#int e0/0
Client2(config-if)#no shutdown
Client2(config-if)#
*Apr 16 06:37:31.964: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 16 06:37:32.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Client2(config-if)#
*Apr 16 06:39:06.786: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.20.1, mask 255.255.255.0, hostname Client2
Client2(config-if)#
③Client4能正常获取IP地址
Client4(config)#int e0/0
Client4(config-if)#no sh
Client4(config-if)#no shutdown
*Apr 16 06:42:07.665: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 16 06:42:08.674: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Client4(config-if)#
*Apr 16 06:43:11.891: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.20.2, mask 255.255.255.0, hostname Client4
Client4(config-if)#
备注:此时如果通过wireshark在DHCPserver的e/0接口抓包,可以看到DHCP Discover包中不包含82选项。
三.交换机配置DHCP snooping
1.在交换机上全局开启DHCP snooping

SW1(config)#ip dhcp snooping
SW2(config)#ip dhcp snooping
2.配置DHCP本地DHCP snooping数据库存储位置(需要提前设置好时间)
SW1(config)#clock timezone GMT +8
SW1(config)#do clock set 14:50:00 16 Apr 2020
SW1(config)#ip dhcp snooping database unix:/dhcp.db
SW2(config)#clock timezone GMT +8
SW2(config)#do clock set 14:50:00 16 Apr 2020
SW2(config)#ip dhcp snooping database unix:/dhcp.db
3.把连接合法DHCP服务器的端口以及trunk接口配置为Trust
SW1(config)#int rang e0/0,E0/2
SW1(config-if-range)#ip dhcp snooping trust
SW2(config)#int e0/0
SW2(config-if)#ip dhcp snooping trust
4.在非信任的端口上配置DHCP限速
SW1(config)#int rang e0/1,e0/3
SW1(config-if)#ip dhcp snooping limit rate 3
SW2(config)#int range e0/1-2
SW2(config-if-range)#ip dhcp snooping limit rate 3
5.在特定VLNA中启用DHCP snooping
SW1(config)#ip dhcp snooping vlan 10,20
SW2(config)#ip dhcp snooping vlan 10,20
6.验证
此时客户端都无法获取IP地址,通过wireshark在DHCPserver的e/0接口抓包,可以看到DHCP Discover包中包含82选项。
7.DHCP服务配置信任82选项
DHCPserver(config)#ip dhcp relay information trust-all
8.再次验证
此时,Client1和Client2能正常获取IP地址,但是Client4无法获取IP地址,经过抓包发现是因为SW1根本就不把client4的DHCP Discover包转发给DHCPserver,但是关闭SW1的DHCP snooping之后,Client4能正常获取IP地址,说明DHCP snooping对DHCP中继的正常工作会存在影响
四.配置交换机指定接口的设备获取IP相同
1.配置dhcp class

ip dhcp class Client1
relay agent information
relay-information hex 01060004000a000102080006aabbcc001000
ip dhcp class Client2
relay agent information
relay-information hex 010600040014000302080006aabbcc001000
ip dhcp class any1
relay agent information
relay-information hex 0106000400*
ip dhcp class any2
relay agent information
relay-information hex 0106000400*
备注: relay-information 可以通过DHCP服务器 debug ip dhcp server class获取,地址池里面需要先配置一个随意匹配的class。
2.修改原有dhcp pool调用dhcp class
ip dhcp pool vlan10Pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
class Client1
address range 192.168.10.18 192.168.10.18
class any1
address range 192.168.10.1 192.168.10.17
class any2
address range 192.168.10.19 192.168.10.253
ip dhcp pool vlan20Pool
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
class Client2
address range 192.168.20.18 192.168.20.18
class any1
address range 192.168.20.1 192.168.20.17
class any2
address range 192.168.20.19 192.168.20.253
3.验证
①Client1能按之前预设的获取IP地址
Client1(config)#int e0/0
Client1(config-if)#shutdown
Client1(config-if)#no shutdown
Client1(config-if)#
*Apr 16 07:25:15.769: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.10.18, mask 255.255.255.0, hostname Client1
Client1(config-if)#
②Client2也能按之前预设的获取IP地址
Client2(config)#int e0/0
Client2(config-if)#shutdown
Client2(config-if)#no shutdown
Client2(config-if)#
*Apr 16 07:32:00.263: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 16 07:32:01.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Client2(config-if)#
*Apr 16 07:32:04.381: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.20.18, mask 255.255.255.0, hostname Client2
Client2(config-if)#
③Client3也也能获取IP地址
Client3(config)#int e0/0
Client3(config-if)#ip address dhcp
Client3(config-if)#no shutdown
Client3(config-if)#
*Apr 16 14:45:50.850: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
Client3(config-if)#
*Apr 16 14:45:51.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Client3(config-if)#
*Apr 16 14:46:59.453: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.10.2, mask 255.255.255.0, hostname Client3
Client3(config-if)#
备注:如果地址池里面不配置通配的class,会导致没有指定relay-information的接口无法接入的设备无法或者IP地址。
④保存配置,stop各个设备,然后将Client1和client2连接SW1的接口对调
--可以看到Client1和Client2的地址跟之前进行了呼唤,从而可以确定
Client1(config)#int e0/0
Client1(config-if)#shutdown
Client1(config-if)#no shutdown
*Apr 16 15:00:14.566: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 16 15:00:15.572: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Client1(config-if)#
*Apr 16 15:00:18.747: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.20.18, mask 255.255.255.0, hostname Client1
Client1(config-if)#
Client2(config)#int e0/0
Client2(config-if)#shutdown
*Apr 16 14:57:09.910: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
*Apr 16 14:57:10.914: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
Client2(config-if)#no shutdown
*Apr 16 14:57:39.118: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
*Apr 16 14:57:40.124: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
Client2(config-if)#
*Apr 16 15:00:04.117: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/0 assigned DHCP address 192.168.10.18, mask 255.255.255.0, hostname Client2
Client2(config-if)#
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接