dhcp failover

David W. Hankins David_Hankins at isc.org
Thu Jul 6 15:13:38 UTC 2006

On Thu, Jul 06, 2006 at 10:56:39AM +1000, Glenn Satchell wrote:
> 2) the dhcp server has an interface on every vlan and you don't use
> relay agents. This can work using a trunked interface that understands
> vlan tagging and some magic on your switches, but means that every vlan
> has to extend to where the dhcp server is. If you have far flung remote
> vlan's then you probably don't want all the vlan broadcast traffic
> being forwarded across your WANs.

I just wanted to point out that there's a known flaw in dhcpd with
this approach.

Because not all current i/o transports know the difference between
broadcast and unicast, the server in the configuration above can't
distinguish between DHCP clients in RENEW state and DHCP clients in
REBIND state.

REBIND is important because in that state we want to perform a check
to make sure the client is attached to the right network (and NAK on
that basis if they're not).  In RENEW we can't perform that check
because we don't know that the message was transmitted by the client
on the interface being configured (if you're unicasting a packet,
it can take any route the client chooses).

When a client moves from one vlan to another, it may enter REBIND
state in an attempt to verify its address.  The ISC DHCP Server today
has no choice but to ACK these messages.

Note also however that all 802.1q vlan subinterfaces will have the
same, physical interface's MAC address.  So if a client moving between
networks instead transmitted a RENEW message, it would still reach
the DHCP Server, and the server would still ACK the message (extending
its lease, and keeping the client from ever entering REBIND state!).

The consequence is that Windows XP DHCP Clients roaming between
VLANs will not succeed in obtaining a new address.  Mac OSX
clients, it might be pointed out, manage to work around this.

The relay agent configuration doesn't have this problem because, when
the client unicasts (RENEW) the relay agent is not involved - when the
client broadcasts (REBIND), the relay agent is involved.

Even when the relay agent is similarly used in 802.1q vlanning - it
is only ever involved when the client is broadcasting.

David W. Hankins		"If you don't do it right the first time,
Software Engineer			you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

More information about the dhcp-users mailing list