而且整個網段, 通常會"部分取得正確, 部分取得錯誤". 我相信很多網管工作者都有遇到過這種窘境.
如何防範, 其實在各位的 Cisco 2950 以上的 Switch 就支援的 DHCP Snooping 功能, 正是為了解決這個問題而來的! 打開以後, 不管再有誰做這種事, 也不會發生錯誤取得IP位址的問題!
DHCP Snooping 的原理簡單的來說, Switch 會監看 DHCP 的活動, 就是只允許指定的部分 Switch Port 放行 DHCP伺服器的回應封包, 其他的一律不准. 所以只會取得指定 Server 回應的 DHCP 內容.
注意: 有一點很重要, 如果 DHCP Server 不是接在本 Switch 時, Uplink port 請務必要允許 DHCP Server 回應, 不然整台 Switch 上的 PC 都會收不到動態的 IP位址資訊!
另外, 因為設定過程會影響 DHCP 運作, 建議最好是在下班時間再啟動這個功能!
以下是典型的設定:
! Global, 啟動 DHCP Snooping, 這行一定要
ip dhcp snooping
! 假設只對 VLAN 100 和 VLAN 200 作 DHCP 設限, 這行也一定要
ip dhcp snooping vlan 100 200
! DHCP Server 埠, 或是 Uplink, 這點很重要, 不然會全部都收不到!
interface GigabitEthernet0/1
ip dhcp trust
! 一般使用者埠, 這是預設值, 可以不用下
interface FastEthernet 0/1
no ip dhcp trust
[Reference]
DHCP Snooping Configuration Guidelines section of Configuring DHCP Features, on Cisco.com
請教您,如果我在介面下這指令是有何用意?
回覆刪除Switch(config-if)#ip dhcp snooping vlan 1
這命令應該是在 Global, 不是在 Interface 下. 您下完這個命令就會立刻回到 Switch (config)# 下, 表示這就是 Global 的命令.
回覆刪除這個命令代表在 VLAN 1 下啟動 DHCP Snooping: 也就是監控 VLAN 1 的 DHCP 活動. 這命令後方所指名的每個 VLAN 都是會被監控的.
因為監控 VLAN 的 DHCP 活動會佔硬體資源, 所以 IOS 不會自動在所有的 VLAN 上頭啟動這個功能, 只有管理者指名的 VLAN 才會監控.
請參考!
洪老師你好:
回覆刪除為什麼我在我的 router 3845 上
sh int status 與 sh ip int brief 所看到的介面會不相同呢?? (sh int status 沒看到Giga port ??)
3845#sh int status
Port Name Status Vlan Duplex Speed Type
Fa0/0/0 disabled 1 auto auto Unknown
Fa0/0/1 6509:7/33 connected trunk a-full a-100 Unknown
Fa0/0/2 6509:7/31 disabled 15 auto auto Unknown
Fa0/0/3 notconnect 1 auto auto Unknown
3845#sh ip int brie
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 192.168.53.100 YES NVRAM up up
GigabitEthernet0/1 192.168.250.6 YES NVRAM up up
FastEthernet0/0/0 unassigned YES unset administratively down down
FastEthernet0/0/1 unassigned YES unset up up
FastEthernet0/0/2 unassigned YES unset administratively down down
FastEthernet0/0/3 unassigned YES unset up down
Serial0/2/0 unassigned YES NVRAM administratively down down
Serial0/2/0.100 192.168.250.2 YES NVRAM administratively down down
Vlan1 unassigned YES NVRAM administratively down down
Vlan15 192.168.15.250 YES NVRAM up up
Vlan65 192.168.65.250 YES NVRAM up up
Vlan114 192.168.14.250 YES NVRAM up up
Loopback0 192.168.53.254 YES NVRAM up up
Loopback1 192.168.53.190 YES NVRAM up up
3845#
3845#
3845#
3845#sh ver
3845#sh version
Cisco IOS Software, 3800 Software (C3845-IPVOICE-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Sat 02-Apr-05 15:14 by yiyan
ROM: System Bootstrap, Version 12.3(11r)T1, RELEASE SOFTWARE (fc1)
3845 uptime is 226 days, 2 hours, 31 minutes
System returned to ROM by power-on
System restarted at 11:32:02 CST Fri Nov 20 2009
System image file is "flash:c3845-ipvoice-mz.123-11.T5.bin"
Cisco 3845 (revision 1.0) with 221184K/40960K bytes of memory.
Processor board ID FHK0748F6GQ
4 FastEthernet interfaces
2 Gigabit Ethernet interfaces
1 Serial(sync/async) interface
1 Channelized T1/PRI port
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62592K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
您提到的四個 FastEthernet 埠應該都是 Layer 2 Switch ports (應該就是 "WIC-4ESW" 或是 "HWIC-4ESW" 吧?). "show interfaces status" 命令只會顯示 Layer 2 Switch ports.
回覆刪除有關 "show interfaces status" 命令:
show interfaces status
有關 Layer 2 switch ports:
4-Port Ethernet Switch Configuration Notes for the Cisco 1700 Series Routers
請教您
回覆刪除我手上有一台 cisco WS-C2924M-XL switch
但是卻無法建立 vlan ??
在 Privileged EXEC Mode 下無法使用 vlan database 方式,另外在Global Configuration Mode 也無法使用 vlan XXX 方式 ~~不曉得是出了什麼狀況??
還是有別的方式呢?
謝謝!!
2924#sh ver
2924#sh version
Cisco Internetwork Operating System Software
IOS (tm) C2900XL Software (C2900XL-H2-M), Version 11.2(8.2)SA6, MAINTENANCE INTERIM SOFTWARE
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Wed 23-Jun-99 17:56 by boba
Image text-base: 0x00003000, data-base: 0x0020DB0C
ROM: Bootstrap program is C2900XL boot loader
2924 uptime is 6 weeks, 3 days, 17 hours, 56 minutes
System restarted by power-on
System image file is "flash:c2900XL-h2-mz-112.8.2-SA6.bin", booted via
cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory.
Processor board ID 0x10, with hardware revision 0x03
Last reset from power-on
Processor is running Standard Edition Software
Cluster member switch capable
24 Ethernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:30:80:D7:6D:C0
Motherboard assembly number: 73-3425-09
Power supply part number: 34-0920-01
Motherboard serial number: FAA03379A6X
Power supply serial number: NONE
Model revision number: A0
Model number: WS-C2924M-XL-A
System serial number: FAA0339G1KX
Configuration register is 0xF
我查了一下應該有支援才是: IOS Release 11.2(8)SA6當中的Configuring VLANs提到以下畫面:
回覆刪除Switch# vlan database
Switch(vlan)# vlan 0003 name marketing
VLAN 3 added:
Name: marketing
Switch(vlan)# exit
APPLY completed.
Exiting....
Switch#
是否也可以擷取一下您遇到的錯誤畫面呢?
我的畫面如下~似乎沒有這個指令
回覆刪除2924#vlan database
^
% Invalid input detected at '^' marker.
2924#?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-template Create a temporary Access-List entry
archive manage archive files
cd Change current directory
clear Reset functions
clock Manage the system clock
configure Enter configuration mode
connect Open a terminal connection
copy Copy from one file to another
debug Debugging functions (see also 'undebug')
delete Delete a file
dir List files on a filesystem
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
format Format a filesystem
fsck Fsck a filesystem
help Description of the interactive help system
hw-module Commands to manipulate a module in a specified slot
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
mkdir Create new directory
more Display the contents of a file
name-connection Name an existing network connection
no Disable debugging functions
ping Send echo messages
pwd Display current working directory
rcommand run command on remote switch
reload Halt and perform a cold restart
rename Rename a file
resume Resume an active network connection
rmdir Remove existing directory
rsh Execute a remote command
send Send a message to other tty lines
session Start remote console session
setup Run the SETUP command facility
show Show running system information
systat Display information about terminal lines
telnet Open a telnet connection
terminal Set terminal line parameters
test Test subsystems, memory, and interfaces
traceroute Trace route to destination
tunnel Open a tunnel connection
undebug Disable debugging functions (see also 'debug')
where List active connections
write Write running configuration to memory, network, or terminal
2924#
我用過 "WS-C2924M-XL-EN"(Enterprise Edition), 確實是可以使用 "vlan database" 設定 VLAN. 您的型號是 "WS-C2924M-XL-A", 我倒是沒用過. 也許我找到的文件不適用您的狀況.
回覆刪除還有一招可以試, 找更新版的 IOS 版本升級看看. 不過有升級失敗無法開機的風險, 並不建議!
如果網友有 "WS-C2924M-XL-A" 而且可以使用 "vlan database" 功能的, 請幫忙補充了!