about concept "group", "shared-network", and "subnet", thanks.

Marc Perea marccp at srttel.com
Thu Apr 21 14:07:58 UTC 2011


>    I do not think Simon's test was meant to involve DHCP specifically. If
>the two networks share a broadcast domain, you should be able to take a server
>with a 10.1.0.0 address, change its address to something on the 10.170.0.0
>network and have it work. Actually, that is the inverse of Simon's test;
>changing the address and leaving the port the same versus changing the port
>and leaving the address intact.
 
>   QinQ is a complication that should make no difference. I think you are
>looking at the wrong level. I have two easier tests for you.
 
Perhaps I misstated - QinQ may not be the complication. All broadcasts other than DHCP are blocked in our access gear (DSLAMS). We utilize a policy engine in our BRAS that requires a successful DHCP, which authenticates based on option 82 (and also statically assigns IP based on option 82) to allow routing to occur. Even though a router may be responsible for a large network - say a /18 - we still don't allow any L2 communication between customers. The customer thinks they are part of that big network, but on the router each customer is a /32, and since we use QinQ all traffic is trucked back from the customer port and is isolated all the way to the BRAS router.
 
So, it is not possible to just put an IP on a box to test with - no DHCP traffic would cause you not to match the policy in the router.
 
>    1) If you run a sniffer on a host on your "TEST ISG-10K" network, does
> it see broadcast traffic from "PRODUCTION ISG-10K" hosts, including
> DHCP traffic but other traffic such as ARP requests may be easier
> to see. If yes, they are part of the same broadcast domain.
 
This is why I brought up QinQ - sniffing anywhere in the path between the DSLAM and the router that traffic is tunneled, so you wouldn't see any other traffic but a single port. And if you sniff on the other side of the DSLAM, you still only see your traffic due to the reasons above.
 
>    2) Do the DHCP requests logged on the DHCP server come from the same
> relay address or different addresses? A properly functioning DHCP
> relay with interfaces in multiple broadcast domains should use its
> address facing that domain. If requests come from the same address
> you probably have a shared network. That or a broken relay. 
>
> If there is a different relay address for each subnet, appropriate
> to that subnet, definitely get rid of your shared subnets.
Bruce, yes, precisely - I have different relay address for each subnet (and each subnet exists only a single BRAS router).
 
Simon, I think you are visualizing my network clearly, and your latest response is dead on also. Thanks guys!
 
I've removed all the shared-network statements and am just using subnets, and things appear to be working correctly. Thanks for clearing up something I've been unsure of for years!
 
--Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20110421/9c273e0f/attachment.html>


More information about the dhcp-users mailing list