about concept "group", "shared-network", and "subnet", thanks.

Simon Hobson dhcp1 at thehobsons.co.uk
Wed Apr 20 19:02:48 UTC 2011

Marc Perea wrote:

>I'm currently configured with 2 shared-network statements, and I'm 
>guessing it's wrong. My DHCP server resides on a single vlan, single 
>interface. The interface is on our server VLAN, where it is not 
>authoritative and I want to ignore booting. I made that one 
>shared-network (ignore-me). Our BRAS is a L3 relay and directs all 
>DHCP broadcast to unicast by IP to the server. I made this a 2nd 
>shared-network. I originally had it all as one S-N, but dhcpd was 
>still responding to requests on the server VLAN, so I moved it out 
>to actually ignore booting. My configuration snip:
>shared-network "ignore me" {
>         subnet netmask { #SERVER VLAN
>                 ignore booting;
>         }
>shared-network "vlan 2" {
>         subnet netmask { #TEST ISG-10K
>                 authoritative;
>                 ...
>         }
>         subnet netmask { #LOAD TEST
>                 authoritative;
>                 ...
>         }
>         subnet netmask { #PRODUCTION ISG-10K
>                 authoritative;
>                 ...
>         }
>         subnet netmask { #ASR1
>                 authoritative;
>                 ...
>         }
>Does this appear right or wrong? If it's wrong, any explanation of 
>why moving the server subnet into the vlan-2 S-N would cause it to 
>hand out IPs from one of the other subnets, instead of ignoring 

There isn't enough information to say whether your setup is right or wrong.

Going backwards, the reason having your server subnet in the single 
shared-subnet is wrong is simply because that's not your network 
topology. As has already been said, a shared network is where the 
different IP subnets share the same broadcast domain - effectively if 
they are plugged into the same switch.
Where VLANs are concerned, think of each VLAN in terms of being a 
separate virtual switch.

The key test is this. Can you unplug a device in the 
network, and plug into the same socket a device in the 
network and have it work correctly WITH NO OTHER CHANGES ? If not 
then they are not the same network and the subnets should not be in a 
shared network.

As an example of what is NOT a shared network. Suppose is on 
a network in one building, and is on a completely separate 
network in another building - but connected via one or more routers, 
links etc. Taking a device to the first building and configuring it 
with a address won't work, and vice versa.
You definitely must NOT use shared-network in this case. If you do, 
then the DHCP server could assign either a or a 
address to a device in either network, and of course, it's going to 
be pot luck whether the device gets a usable address or not. This is 
because when the server gets a relayed request via (say) as 
the relay agent, it looks in the config and you've told it that is available there as well.

As an aside, I'm fairly certain you cannot mix authoritative and 
not-authoritative in a shared network. The DHCP server is either 
authoritative or it isn't for a PHYSICAL network. So you probably 
only want to put authoritative at the shared-network level.

Stemen, Andrew Michael wrote:
>It is my practice (and I recommend it to others) that every network 
>have a shared-network statement, simply for greater clarity, even if 
>there is only one subnet on that network.

I'll disagree there and suggest not using shared networks if you 
don't need them. It's another level of nesting to get confused over, 
and it's something else to confuse a novice admin that has to take 
over when you get knocked down by the proverbial bus.

Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

More information about the dhcp-users mailing list