H3C防火墙为终端网关,并配置DHCP中继。
H3C防火墙为终端网关,并配置DHCP中继,终端无法获取到IP地址。
查看防火墙配置:
终端属于OA域,DHCP Server属于trust域。
#
interface Vlan-interface10
ip address 29.128.0.1 255.255.255.0
dhcp select relay
dhcp relay server-address 10.5.32.110
dhcp relay server-address 10.220.175.110
#
#
interface Route-Aggregation10
ip address 29.2.0.68 255.255.255.248
#
#
security-zone name Trust
import interface Vlan-interface10
#
#
security-zone name OA
import interface GigabitEthernet1/0/22
import interface GigabitEthernet1/0/23
import interface Route-Aggregation10
#
现场策略全部放通,终端无法获取地址。查看会话:
<GuangMing-FW01>dis session table ipv4 destination-ip 10.5.32.110 verbose
Slot 1:
Initiator:
Source IP/port: 29.2.0.68/67
Destination IP/port: 10.5.32.110/67
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: InLoopBack0
Source security zone: Local
Responder:
Source IP/port: 10.5.32.110/67
Destination IP/port: 29.2.0.68/67
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: Route-Aggregation10
Source security zone: OA
State: UDP_OPEN
Application: BOOTPS
Start time: 2019-01-17 22:36:23 TTL: 21s
Initiator->Responder: 4 packets 1312 bytes
Responder->Initiator: 0 packets 0 bytes
从会话看我司防火墙已经向服务器发送了请求,但是未收到回应,并且请求报文的源地址为我司防火墙上行接口的地址而不是DHCP中继的接口地址。由于现场工程师误解,中间其他厂商的防火墙策略未放通我司防火墙的上行口地址导致DHCP请求被阻断,无法到达DHCP Server。
修改其他厂商防火墙配置,在策略中放通源地址为我司防火墙上行接口的地址,终端获取IP地址正常。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作