已解决: dhcp snooping+IP source guard 问题

shizhenning1 · ‎05-24-2018

网络结构如下:

S1交换机本身作为DHCP Server,配置如下:

CoreSW#sh run
Building configuration...
Current configuration : 3521 bytes
!
! Last configuration change at 22:27:47 +8 Thu May 24 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname CoreSW
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone +8 18 35
!
!
!
!         
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool vlan1
 network 192.168.1.0 255.255.255.0
 dns-server 192.168.0.2 
 default-router 192.168.1.1 
 lease 0 4
!
ip dhcp pool vlan2
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.1 
 dns-server 192.168.0.2 
 lease 0 4
!
ip dhcp pool vlan3
 network 192.168.3.0 255.255.255.0
 default-router 192.168.3.1 
!         
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!
!
!
!         
!
interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/3
 media-type rj45
 negotiation auto
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 ip dhcp relay information trusted
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
 ip dhcp relay information trusted
 ip address 192.168.3.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!

S2交换机配置如下:

HJSW#sh run
Building configuration...
Current configuration : 2836 bytes
!
! Last configuration change at 02:24:43 UTC Thu May 24 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname HJSW
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!         
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!
!
!
!         
!
!
!
interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/3
 media-type rj45
 negotiation auto
!         
ip forward-protocol nd
!
no ip http server
no ip http secure-server

S3作为接入交换机，配置如下:

JRSW# sh run
Building configuration...
Current configuration : 3060 bytes
!
! Last configuration change at 07:18:55 UTC Thu May 24 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
no service dhcp
!
hostname JRSW
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!         
!
!
!
!
ip dhcp snooping vlan 2-3
ip dhcp snooping
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
!         
!
!
!
!
!
!
interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 media-type rj45
 negotiation auto
 ip dhcp snooping trust
!
interface GigabitEthernet0/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
 ip verify source 
!
interface GigabitEthernet0/3
 switchport access vlan 3
 switchport mode access
 media-type rj45
 negotiation auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!

现象:
配置完毕后，S3交换机下的2口客户端PC 可以顺利获取到IP地址，但是ping不通内网。 3口下的客户端PC就正常。
哪里配置有问题呢？

suzhouxiaoniu · ‎05-24-2018

所以要问是不是模拟器环境，EVE还是有BUG的，GNS3和真机都配置过，不通实在不应该。只能怀疑BUG了。建议做测试，也要多用几种模拟器测试一下。

在原帖中查看解决方案

suzhouxiaoniu · ‎05-24-2018

所以要问是不是模拟器环境，EVE还是有BUG的，GNS3和真机都配置过，不通实在不应该。只能怀疑BUG了。建议做测试，也要多用几种模拟器测试一下。

nuningming · ‎05-24-2018

核心交换机开启ip routing,试下

shizhenning1 · ‎05-24-2018

ningming.lu 发表于 2018-5-24 16:08
核心交换机开启ip routing,试下

开着了是 2口下的PC 获取到IP地址后跟内网不通关闭掉 ip verify source 之后就通了不知咋回事

shizhenning1 · ‎05-24-2018

shizhenning 发表于 2018-5-24 16:24
开着了是 2口下的PC 获取到IP地址后跟内网不通关闭掉 ip verify source 之后就通了不知咋回事

3口没开启 ip verify source 获取IP地址就能ping通内网
看binding结果也都正常

JRSW#show ip dhcp  snooping 
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
2-3
DHCP snooping is operational on following VLANs:
2-3
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 5000.0002.0000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   
GigabitEthernet0/0         yes        yes             unlimited
  Custom circuit-ids:
JRSW#show ip dhcp  snooping bi
JRSW#show ip dhcp  snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      10524       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      82651       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#show ip sou bin
JRSW#show ip sou binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      10520       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      82646       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2

suzhouxiaoniu · ‎05-24-2018

你把通和不通两种情况下的show ip verify source贴出来

shizhenning1 · ‎05-24-2018

suzhouxiaoniu 发表于 2018-5-24 18:07
你把通和不通两种情况下的show ip verify source贴出来

不通的情况下（启用ip verify source）:

JRSW#show ip source binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14382       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75304       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#show ip dhcp sn bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14374       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75296       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#show run int gi0/2
Building configuration...
Current configuration : 139 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
 ip verify source
end

通的情况下(禁用ip verify source):

JRSW#show ip source binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14367       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75464       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#show ip djh
JRSW#show ip dh 
JRSW#show ip dhcp  sn
JRSW#show ip dhcp  snooping bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14361       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75458       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#show run int gi0/2
Building configuration...
Current configuration : 121 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
end

shizhenning1 · ‎05-24-2018

suzhouxiaoniu 发表于 2018-5-24 18:07
你把通和不通两种情况下的show ip verify source贴出来

不通的情况下（启用ip verify source）:

JRSW#show ip source binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14382       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75304       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#show ip dhcp sn bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14374       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75296       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#show run int gi0/2
Building configuration...
Current configuration : 139 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
 ip verify source
end

通的情况下(关闭ip verify source ):

JRSW#show ip sou bind
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14221       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75143       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sho ip dhc sn bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14216       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75138       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh run int gi0/2
Building configuration...
Current configuration : 121 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
end

shizhenning1 · ‎05-24-2018

通的情况下(关闭ip verify source):

JRSW#show ip sou bind
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14221       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75143       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sho ip dhc sn bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14216       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      75138       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh run int gi0/2
Building configuration...
Current configuration : 121 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
end

不通的情况下（启用Ip verify source）:

JRSW#sh ip sou bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14391       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      74962       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sho ip dhc sn b  
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14380       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      74951       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh run in gi0/2
Building configuration...
Current configuration : 139 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
 ip verify source
end

shizhenning1 · ‎05-24-2018

各位大神劳烦给分析下

shizhenning1 · ‎05-24-2018

本帖最后由 shizhenning 于 2018-5-25 10:22 编辑
各路大神都给看看啊

shizhenning1 · ‎05-24-2018

suzhouxiaoniu 发表于 2018-5-24 18:07
你把通和不通两种情况下的show ip verify source贴出来

不同的情况下(开启ip verify source):

JRSW# sh ip sou bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14345       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      64196       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh ip dhc sn bi
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14339       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      64191       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh run int g0/2
Building configuration...
Current configuration : 139 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
 ip verify source
end

shizhenning1 · ‎05-24-2018

suzhouxiaoniu 发表于 2018-5-24 18:07
你把通和不通两种情况下的show ip verify source贴出来

通的情况下(关闭ip verify source):

JRSW#
JRSW#sh ip sou bind
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14235       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      64086       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh ip  dhc sn b
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14225       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      64076       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh run in g0/2
Building configuration...
Current configuration : 121 bytes
!
interface GigabitEthernet0/2
 switchport access vlan 2
 switchport mode access
 media-type rj45
 negotiation auto
end

大神帮忙分析下

shizhenning1 · ‎05-24-2018

suzhouxiaoniu 发表于 2018-5-24 18:07
你把通和不通两种情况下的show ip verify source贴出来

不通的情况下：

JRSW#show ip ver source 
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/2      ip           active       192.168.2.5                         2

通的情况下:

JRSW#sho ip ver source 
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----

suzhouxiaoniu · ‎05-27-2018

从配置结果看，没有问题，IPSG启动后，检查 snooping表项，而且看到2.5都是匹配的的。这个是比较简单的配置，为什么不通？我也很感兴趣，一起讨论一下：
1：内网不通，你指的是同一个VLAN，还是不同的VLAN，因为你图示中，2口下是VLAN2 ，3口下是VLAN3。你的测试是在VLAN2内部测试不通？还是VLAN间的测试？
2：IPSG如果配置到接口3下，是否导致VLAN3内网也不通【排除故障域】
3：尝试配置静态表项，看是否能通？
ip source binding Mac地址 vlan X IP地址 interface 端口【就是端口2的表项】
4：你现在的环境是真机环境，还是模拟器环境？
5：交换机具体型号和IOS版本是？【官网BUG库查询】