已解决: dhcp snooping 结合ip source guard,可以获取到IP，但是网络不通

shizhenning1 · ‎05-27-2018

拓扑图:

配置:
S1交换机本身作为DHCP Server:

CoreSW#sh run
Building configuration...
Current configuration : 3521 bytes
!
! Last configuration change at 22:27:47 +8 Thu May 24 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname CoreSW
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool vlan1
network 192.168.1.0 255.255.255.0
dns-server 192.168.0.2 
default-router 192.168.1.1 
lease 0 4
!
ip dhcp pool vlan2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1 
dns-server 192.168.0.2 
lease 0 4
!
ip dhcp pool vlan3
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1 
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport mode access
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip dhcp relay information trusted
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip dhcp relay information trusted
ip address 192.168.3.1 255.255.255.0

S2交换机配置

HJSW#sh run
Building configuration...
Current configuration : 2836 bytes
!
! Last configuration change at 02:24:43 UTC Thu May 24 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname HJSW
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!         
ip forward-protocol nd
!
no ip http server
no ip http secure-server

S3接入交换机配置:

JRSW# sh run
Building configuration...
Current configuration : 3060 bytes
!
! Last configuration change at 07:18:55 UTC Thu May 24 2018
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
no service dhcp
!
hostname JRSW
!
ip dhcp snooping vlan 2-3
ip dhcp snooping
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
ip dhcp snooping trust
!
interface GigabitEthernet0/1
media-type rj45
negotiation auto
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode access
media-type rj45
negotiation auto
ip verify source 
!
interface GigabitEthernet0/3
switchport access vlan 3
switchport mode access
media-type rj45
negotiation auto

接入交换机开启2口后，pc可正常获取ip,但是获取ip后，ping不通网关和内网。

JRSW#show ip ver source 
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi0/2      ip           active       192.168.2.5                         2   
JRSW#sh ip sou bin
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14391       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      74962       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sho ip dhc sn b  
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14380       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      74951       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh run in gi0/2
Building configuration...
Current configuration : 139 bytes
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode access
media-type rj45
negotiation auto
ip verify source
end

关闭ip verify source 之后，就可以ping通了。是哪里配置有问题么？

RSW#sho ip ver source 
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
JRSW#
JRSW#sh ip sou bind
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14235       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      64086       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh ip  dhc sn b
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:50:79:66:68:04   192.168.2.5      14225       dhcp-snooping   2     GigabitEthernet0/2
00:50:79:66:68:03   192.168.3.2      64076       dhcp-snooping   3     GigabitEthernet0/3
Total number of bindings: 2
JRSW#sh run in g0/2
Building configuration...
Current configuration : 121 bytes
!
interface GigabitEthernet0/2
switchport access vlan 2
switchport mode access
media-type rj45
negotiation auto
end

各位大神请帮忙看看。谢了。

suzhouxiaoniu · ‎05-27-2018

另外，确认一下，配置IPSG后，终端有没有重新获取地址？【重新发起DHCP流程】
【不要是终端已经获取到地址之后，后来再增加的IPSG配置】

在原帖中查看解决方案

suzhouxiaoniu · ‎05-27-2018

另外，确认一下，配置IPSG后，终端有没有重新获取地址？【重新发起DHCP流程】
【不要是终端已经获取到地址之后，后来再增加的IPSG配置】

shizhenning1 · ‎05-27-2018

suzhouxiaoniu 发表于 2018-5-28 11:25
另外，确认一下，配置IPSG后，终端有没有重新获取地址？【重新发起DHCP流程】
【不要是终端已经获取到地 ...

重新获取的地址

shizhenning1 · ‎05-28-2018

shizhenning 发表于 2018-5-28 13:44
重新获取的地址

不用看了，应该是模拟器的问题。生产环境这么配置正常谢谢啦

bo chen · ‎05-28-2018

所有设备no ip cef, EVE-NG的BUG!{:2_31:}