Берем свич DES-3528 с последней прошивкой. Меняем ему в конфиге следующее (остальное остается по-дефолту):
#-------------------------------------------------------------------------------
# DES-3528 Fast Ethernet Switch
# Configuration
#
# Firmware: Build 2.80.B047
# Copyright(C) 2010 D-Link Corporation. All rights reserved.
#-------------------------------------------------------------------------------
# STACK
config stacking force_master_role state disable
# STORM
config traffic control 1 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 2 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 3 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 4 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 5 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 6 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 7 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 8 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 9 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 10 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 11 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 12 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 13 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 14 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 15 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 16 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 17 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 18 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 19 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 20 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 21 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 22 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 23 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 24 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 25 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 26 broadcast disable multicast disable unicast disable action drop threshold 131072 countdown 0 time_interval 5
config traffic control 27 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control 28 broadcast enable multicast enable unicast disable action drop threshold 100 countdown 0 time_interval 5
config traffic control auto_recover_time 0
config traffic trap none
config traffic control log state enable
# LOOP_DETECT
enable loopdetect
config loopdetect recover_timer 60 interval 10 mode port-based
config loopdetect log state enable
config loopdetect ports 1 state enable
config loopdetect ports 2 state enable
config loopdetect ports 3 state enable
config loopdetect ports 4 state enable
config loopdetect ports 5 state enable
config loopdetect ports 6 state enable
config loopdetect ports 7 state enable
config loopdetect ports 8 state enable
config loopdetect ports 9 state enable
config loopdetect ports 10 state enable
config loopdetect ports 11 state enable
config loopdetect ports 12 state enable
config loopdetect ports 13 state enable
config loopdetect ports 14 state enable
config loopdetect ports 15 state enable
config loopdetect ports 16 state enable
config loopdetect ports 17 state enable
config loopdetect ports 18 state enable
config loopdetect ports 19 state enable
config loopdetect ports 20 state enable
config loopdetect ports 21 state enable
config loopdetect ports 22 state enable
config loopdetect ports 23 state enable
config loopdetect ports 24 state enable
config loopdetect ports 25 state enable
config loopdetect ports 26 state disable
config loopdetect ports 27 state enable
config loopdetect ports 28 state enable
config loopdetect trap none
# PORT
disable jumbo_frame
config ports 1-24,27-28 speed auto flow_control disable learning enable state enable mdix auto
config ports 25-26 medium_type copper speed auto flow_control disable learning enable state enable mdix auto
config ports 25 medium_type fiber speed auto flow_control disable learning enable state enable
config ports 26 medium_type fiber speed auto flow_control disable learning enable state enable description Uplink Core
# VLAN
enable pvid auto_assign
config vlan default delete 1-28
config vlan default add tagged 26
config vlan default advertisement disable
create vlan DHCP4 tag 24
config vlan DHCP4 add tagged 26
config vlan DHCP4 add untagged 1-25,27-28 advertisement disable
disable gvrp
config gvrp nni_bpdu_addr dot1d
disable asymmetric_vlan
disable vlan_trunk
config port_vlan 1-25,27-28 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 24
config port_vlan 26 gvrp_state disable ingress_checking enable acceptable_frame admit_all pvid 1
# ACL
create access_profile profile_id 1 profile_name ARP-permit packet_content_mask offset_chunk_1 3 0xFFFF offset_chunk_2 7 0xFFFF offset_chunk_3 8 0xFFFF0000
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDE560000 port 18 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC5E0000 port 9 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xCA80000 port 10 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDF380000 port 15 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDE0D0000 port 20 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDF190000 port 28 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC6E0000 port 22 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDF210000 port 1 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC070000 port 7 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC5A0000 port 12 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xCAE0000 port 2 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC8F0000 port 11 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC640000 port 14 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xCCF0000 port 19 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDEC00000 port 17 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC240000 port 16 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xC250000 port 21 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0xA00 offset_chunk_3 0xCED0000 port 3 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDE0A0000 port 19 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDE9E0000 port 6 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDEA50000 port 24 permit counter enable
config access_profile profile_id 1 add access_id auto_assign packet_content offset_chunk_1 0x806 offset_chunk_2 0x2EAE offset_chunk_3 0xDEB60000 port 13 permit counter enable
create access_profile profile_id 4 profile_name ARP-Deny ethernet ethernet_type
config access_profile profile_id 4 add access_id 1 ethernet ethernet_type 0x806 port 1-25,27-28 deny
#CPU Interface Filter
create cpu access_profile profile_id 1 ip vlan destination_ip_mask 255.255.255.255 udp dst_port_mask 0xFFFF
config cpu access_profile profile_id 1 add access_id 1 ip vlan_id 24 destination_ip 255.255.255.255 udp dst_port 67 port 26 deny
enable cpu_interface_filtering
# SUBNETVLAN
config vlan_precedence port 1-28 mac_based_vlan
# ADDRBIND
config address_binding dhcp_snoop max_entry ports 1 limit 2
config address_binding dhcp_snoop max_entry ports 2 limit 2
config address_binding dhcp_snoop max_entry ports 3 limit 2
config address_binding dhcp_snoop max_entry ports 4 limit 2
config address_binding dhcp_snoop max_entry ports 5 limit 2
config address_binding dhcp_snoop max_entry ports 6 limit 2
config address_binding dhcp_snoop max_entry ports 7 limit 2
config address_binding dhcp_snoop max_entry ports 8 limit 2
config address_binding dhcp_snoop max_entry ports 9 limit 2
config address_binding dhcp_snoop max_entry ports 10 limit 2
config address_binding dhcp_snoop max_entry ports 11 limit 2
config address_binding dhcp_snoop max_entry ports 12 limit 2
config address_binding dhcp_snoop max_entry ports 13 limit 2
config address_binding dhcp_snoop max_entry ports 14 limit 2
config address_binding dhcp_snoop max_entry ports 15 limit 2
config address_binding dhcp_snoop max_entry ports 16 limit 2
config address_binding dhcp_snoop max_entry ports 17 limit 2
config address_binding dhcp_snoop max_entry ports 18 limit 2
config address_binding dhcp_snoop max_entry ports 19 limit 2
config address_binding dhcp_snoop max_entry ports 20 limit 2
config address_binding dhcp_snoop max_entry ports 21 limit 2
config address_binding dhcp_snoop max_entry ports 22 limit 2
config address_binding dhcp_snoop max_entry ports 23 limit 2
config address_binding dhcp_snoop max_entry ports 24 limit 2
config address_binding dhcp_snoop max_entry ports 25 limit 2
config address_binding dhcp_snoop max_entry ports 26 limit no_limit
config address_binding dhcp_snoop max_entry ports 27 limit 2
config address_binding dhcp_snoop max_entry ports 28 limit 2
config address_binding ip_mac ports 1-25,27-28 mode acl
config address_binding ip_mac ports 1-25,27-28 state enable strict
config address_binding ip_mac ports 1-25,27-28 allow_zeroip enable
enable address_binding dhcp_snoop
disable address_binding trap_log
disable address_binding dhcp_snoop ipv6
disable address_binding nd_snoop
config address_binding dhcp_snoop max_entry ports 1-28 limit no_limit ipv6
config address_binding nd_snoop ports 1-28 max_entry no_limit
# NetBiosFilter
config filter netbios all state disable
config filter netbios 1-28 state enable
config filter extensive_netbios all state disable
config filter extensive_netbios 1-28 state enable
# DhcpServerScreening
config filter dhcp_server ports all state disable
config filter dhcp_server ports 1-25,27-28 state enable
config filter dhcp_server illegal_server_log_suppress_duration 5min
config filter dhcp_server trap_log disable
# BPDU_PROTECTION
config bpdu_protection ports 1-28 mode shutdown
# IGMP_MULTICAST_VLAN
create igmp_snooping multicast_vlan_group_profile TV
config igmp_snooping multicast_vlan_group_profile TV add 239.0.0.0-239.0.0.100
enable igmp_snooping multicast_vlan
config igmp_snooping multicast_vlan forward_unmatched disable
create igmp_snooping multicast_vlan TV 200
config igmp_snooping multicast_vlan TV state enable replace_source_ip 10.0.200.132 remap_priority 5 replace_priority
config igmp_snooping multicast_vlan TV add member_port 1-25,27-28
config igmp_snooping multicast_vlan TV add source_port 26
config igmp_snooping multicast_vlan_group TV add profile_name TV
# IP
config ipif System ipaddress 10.0.100.132/24 vlan default
config ipif System proxy_arp disable local disable
config ipif System dhcpv6_client disable
config ipif System dhcp_option12 state disable
disable autoconfig
# MCFILTER
config multicast vlan_filtering_mode vlanid 1 filter_unregistered_groups
config multicast vlan_filtering_mode vlanid 24 filter_unregistered_groups
config multicast vlan_filtering_mode vlanid 200 filter_unregistered_groups
# IGMP_SNOOPING
enable igmp_snooping
config igmp_snooping data_driven_learning max_learned_entry 128
config igmp_snooping vlan_name TV fast_leave enable report_suppression disable
config igmp_snooping querier vlan_name TV query_interval 125 max_response_time 10 robustness_variable 2 last_member_query_interval 1 state disable version 2
config igmp_snooping data_driven_learning vlan_name TV state enable aged_out enable expiry_time 260
config cpu_filter l3_control_pkt 1-25,27-28 dvmrp state enable
config cpu_filter l3_control_pkt 1-25,27-28 pim state enable
config cpu_filter l3_control_pkt 1-25,27-28 igmp_query state enable
# DHCP_LOCAL_RELAY
disable dhcp_local_relay
# DHCP_RELAY
enable dhcp_relay
config dhcp_relay hops 1 time 0
config dhcp_relay option_82 state enable
config dhcp_relay option_82 check disable
config dhcp_relay option_82 policy keep
config dhcp_relay option_82 remote_id user_define 0132
config dhcp_relay option_60 state disable
config dhcp_relay option_61 state disable
config dhcp_relay option_60 default mode drop
config dhcp_relay option_61 default drop
config dhcp_relay add vlanid 24 10.0.100.1
# ARP
config arp_aging time 20
config gratuitous_arp send ipif_status_up disable
config gratuitous_arp send dup_ip_detected disable
config gratuitous_arp learning disable
enable gratuitous_arp ipif System log
Что это? порт 26 - аплинк, остальные порты - абоненты. Все абоненты в одном влане (24), в котором настроен DHCP-relay + opt.82 и включен IMPB. Также есть ISM. ACL фильтрует исключительно абонентский ARP. CPU-ACL фильтрует дхцп-запросы со стороны порта аплинка. Также включены почти все имеющиеся стандартные фильтры (шторм, LBD, BPDU, DHCP-screen, мультикаст-управление) на абонентских портах.
Что имеем? Абоненты дружно получают адреса по ДХЦП и работают. До тех пор, пока не истечет лиза. После этого все соединения рвутся, т.к. абоненты не могут продлить лизу. Они заново получают адреса по дхцп и работают дальше. Вот кусок логов роутра Asus RT-N16:
Код:
May 30 10:55:06 dhcp client: deconfig: lease is lost
May 30 10:55:17 dhcp client: bound IP : 46.174.222.13 from 46.174.222.1
May 30 11:25:10 dhcp client: deconfig: lease is lost
May 30 11:25:18 dhcp client: bound IP : 46.174.222.13 from 46.174.222.1
May 30 11:55:11 dhcp client: deconfig: lease is lost
May 30 11:55:19 dhcp client: bound IP : 46.174.222.13 from 46.174.222.1
May 30 12:25:11 dhcp client: deconfig: lease is lost
May 30 12:25:23 dhcp client: bound IP : 46.174.222.13 from 46.174.222.1
Вот кусок логов клиента дхцп на линуксе:
Код:
May 30 21:10:25 notebook dhcpcd[2872]: eth0: renewing lease of 46.174.222.13
May 30 21:16:02 notebook dhcpcd[2872]: eth0: failed to renew, attempting to rebind
May 30 21:16:02 notebook dhcpcd[2872]: eth0: acknowledged 46.174.222.13 from 10.0.100.1
May 30 21:16:02 notebook dhcpcd[2872]: eth0: leased 46.174.222.13 for 900 seconds
То есть, так как абонент не может продлить лизу, он начинает полностью заново процесс дхцп. На это уходит несколько секунд, в течение которых связь у абонента полностью рвется. В итоге техсаппорт завален жалобами - в игры играть невозможно, кино он-лайн смотреть невозможно, скайп - невозможно и т.п.
Как только отключаем IMPB, все становится просто идеально! DHCP релеется, лизы продляются, перерывов в связи у абонентов нет.
Что будем делать?
Вход
Регистрация
FAQ
Поиск
. Но я не думаю что у длинка настолько все запущено...