DHCP instability issue with Cisco 3560 Layer 3 switch

1.If the iOS version of 3560 is or above, look at the log records of 3560 to find out whether there is ARP spoofing in the network, or whether the gateway address is occupied. (If the version is not high, then go to see by grabbing packets).

2.Of course, Layer 2 security also includes DHCP attacks, of course, ARP and DHCP attacks can be handled with the DAI protection function that comes with 3560, you need to enable the DHCP snooping function to create a 5-item entry, and then use the ARP inspection function to get it.

DHCP attacks are also unintentional, for example, the customer has a dumb router, and connects the cable connected to the 3560 room to the LAN port of the dumb router, causing DHCP packets in the broadcast domain to be confused. It needs to be discovered and solved manually, and DHCP snooping can also be defended.

If the 3560 is not a direct customer, the following links to other Layer 2 switches, if the Layer 2 switch is Cisco 2960 or the like, it is easy to do, and there is also an ARP inspection function, if it is a fool switch, then you can only try to eliminate the method of changing the switch, and it is not possible to change the switch, then it is not possible.

Why not use a DHCP server to set up a DHCP pool, why use a switch to configure a DHCP pool?

Steps to configure the Cisco Layer 3 switch DHCP service:

1. First turn on the Layer 3 switch, connect the computer Telnet remotely, and enter the global mode, 2. Turn on the DHCP service in the global mode, enter "Service DHCP", and then press Enter, 3. Specify the address that is not allocated in the DHCP address pool, that is, the excluded address. For the excluded address, enter "ip dhcp excluded-address.""

4. Configure an address pool named "CS", and enter "ip dhcp pool CS"."5. Specify the network segment and mask to be allocated through DHCP, and enter "network"."6. Configure the DNS server for the client, and enter "dns-server.""7. Set the lease period of the address to "3", and enter "lease 3"."8. Configure the gateway for the client as ", enter "default-router", 9. The setting is completed, as long as it belongs to the client of the network segment, it can automatically obtain the IP address. Note here that if there are multiple VLANs, DHCP service needs to be configured for each VLAN.

Are you sure that the IP address of your B computer is set correctly?

The IP address of your gateway and your B computer are not on the same network segment!

"The IP address of B is , and the mask is , gateway"

When I saw this sentence, I didn't look at the following, B computer and gateway are not in the same network segment?

Why is port 1 set to trunk mode? You connect the same switch on port (48) to the computer b for access mode via untagged packet data. One port (1) is in trunk mode, through a data frame with a tag packet, can the two modes communicate?

I'm not so sure! You can try to remove the PTN device, connect the computer directly to the switch port 1, remove the trunk mode, and the same IP address configuration should work.

The above are all QoS applications, what kind of detailed configuration do you want, you said, I write the detailed configuration.

This one is simple.

First: your figure is not dhcp---3560---2960, according to the above figure: pay attention to the following places: the server should establish multiple scopes, that is, multiple address pools.

Enable the Layer 3 function, and replace the interface connected to Layer 2 with access, not trunk, because you feel that Layer 2 is used as an ordinary switch, but only plays the role of an expansion port.

3.The port connected to the Layer 2 switch is added to the corresponding VLAN, and the IP address configured on the int VLAN interface is the customer's gateway.

4.DHCP trunking is performed on the corresponding int VLAN interface. In this way, the IP can be obtained by stringing through the three layers of devices

Pure hand-typed, if you have any questions, you can ask. It's all about learning the Internet!!

On the Layer 2 switch, you can set the port to connect to each PC and divide the VLAN port, so that each port can only get the IP address of its own network segment.

1. Enable multiple address pools on the DHCP server.

2. Configure an IP address of this network segment as the default gateway on the VLAN port.

It should solve your problem.

good luck ！

If everything is fine with your network, the problem may be at the management level. Why do you say that, the CPU of the 3750 is not particularly strong, if you send a packet to its own, there is a 3750 to process at this time, due to the problem that the CPU is not strong, and the core device is busy, so there is a delay.

However, if you are a firewall with ping, the CPU of the firewall is generally not low, and the ability to process its own packets is high. So the speed of reply is faster.

To put it simply: when ping the firewall, the switch is a transit packet, and for these packets, the switch does not take the CPU but the speed card, so it will quickly get a response from the firewall, while the ping switch is, the data is not a transit packet, and it has to go through 37 CPUs, so it is slow.

If it feels like the explanation is reasonable.