Diferent dhcp relay
André
netriver at gmail.com
Tue Oct 11 19:23:24 UTC 2011
In reply to:
Date: Tue, 11 Oct 2011 19:05:15 +0100
From: Simon Hobson <dhcp1 at thehobsons.co.uk>
Subject: Re: Diferent dhcp relay
To: Users of ISC DHCP <dhcp-users at lists.isc.org>
Hello,
I already had tryed making it all in one shared-network
but got the problem of a CPE from relay2 getting an IP
of the network in relay1.
To solve this issue I tryed using agent.circuit-id
class "c3" {
match if binary-to-ascii(10, 16, "", substring( option agent.circuit-id,2
,2)) = "99";
spawn with hardware;
}
And in the pool of the subnets I specified before allow members of "online";
deny members of "c3";
But this didn't work I debuged and the circuit-id is 99 so that is correct.
only the network x.x.48.x has allow members of "c3";
I'm getting in the logs:
dhcpd: DHCPDISCOVER from 00:1x:xa:xc:Xx:bc via 10.2.0.1: unknown client
agent.remote-id is also set in the dhcp request this agent.remote-id also
belongs to "online" class
Best regards,
FR
Andr? wrote:
> >> [ dhcpd ]--A.x.x.x/24---[ relay1 ]---B.x.x.x/24 --{ client }
>>> |--A.x.x.x/24---[ relay 2]---C.x.x.x/24 --{ client }
>>>
>>> does your setup look similar to this ^ ?
>Yes, my setup is like that.
>
>>
>> My relays are on the networks
>> 10.1
>> and 10.2
>>
>> This is a cable network so cm's will be served from 10.1 and 10.2
>> Due to equipment restrictions I require to use
>>the dhcp giaddr of 10.1.x.1 and 10.2.x.2 for
>>all the hosts
>> requesting a IP address.
>
>
>>> are these two subnets on the same physical
>>>broadcast zone ? or are the on separate VLANS ?
>Same physical broadcast zone no vlans.
Hmm, these two answers are inconsistent !
First answer says that the two networks (B.x.x.x
and C.x.x.x above) are separate networks, then
you say they are the same network. I'm guessing
from your problem description that the latter is
the truthful answer, and if that is the case then
your config is wrong ...
>shared-network share1
>{
> subnet x.x.35.0 netmask 255.255.255.0 {
> }
> }
> subnet 10.1.0.0 netmask 255.255.0.0 {
> }
>
> subnet x.x.34.0 netmask 255.255.255.192 {
> # CORE NETWORK DONT TOUCH
> }
>
> subnet 192.168.0.0 netmask 255.255.0.0 {
> # CORE MANAGEMENT DONT TOUCH
> }
>
>}
>
>shared-network share-c3
>{
> subnet x.x.48.0 netmask 255.255.255.0 {
> }
> subnet 10.2.0.0 netmask 255.255.0.0 {
> }
>}
>
This will not and can not work because what you
have told your DHCP server about your network
topology is different to the actual topology.
Remember that DHCP is a BROADCAST protocol - so
BOTH relay agents will pick up ALL broadcasts
from ALL clients because they are on the same
network. Short of configuring each relay agent
with a list of MAC addresses (or similar) that it
will relay for, then you cannot have one set of
clients using one relay and the other clients
using a different relay. This is fundamental
networking and it's disturbing that you didn't
spot this yourself.
Because the 10.1 and 10.2 networks share the same
broadcast domain, they are themselves a shared
network, and so the above should actually be :
shared-network share1
{
subnet x.x.35.0 netmask 255.255.255.0 {
}
subnet 10.1.0.0 netmask 255.255.0.0 {
}
subnet x.x.34.0 netmask 255.255.255.192 {
}
subnet 192.168.0.0 netmask 255.255.0.0 {
}
subnet x.x.48.0 netmask 255.255.255.0 {
}
subnet 10.2.0.0 netmask 255.255.0.0 {
}
}
Now you see that all these subnets are ONE shared
network. If you require to split clients between
the 10.1 and 10.2 networks in a specific way,
then you will need to use classing to do so, eg :
class "classdot1" {
match on <something>
}
class "classdot2" {
match on <something else>
}
subnet 10.1.0.0 netmask 255.255.0.0 {
pool ....
allow members of "classdot1" ;
}
subnet 10.2.0.0 netmask 255.255.0.0 {
pool ....
allow members of "classdot2" ;
}
--
Simon Hobson
On Tue, Oct 11, 2011 at 5:50 PM, André <netriver at gmail.com> wrote:
> In reply to
> *jeffrey j donovan* donovan at beth.k12.pa.us
> <dhcp-users%40lists.isc.org?Subject=Re%3A%20Diferent%20dhcp%20relay&In-Reply-To=%3C0383CF61-0699-42F5-A715-52DA844E9182%40beth.k12.pa.us%3E>
> *Tue Oct 11 15:12:20 UTC 2011
>
> *
> >
> > Hello,
> >
> > I'm running a dhcp server and recently I needed to add a second relay
> that will connect to this server.
> >> When you talk about relays,.. are you talking about UDP helper relays
> ?
> Yes
>
> >> [ dhcpd ]--A.x.x.x/24---[ relay1 ]---B.x.x.x/24 --{ client }
> >> |--A.x.x.x/24---[ relay 2]---C.x.x.x/24 --{ client }
> >>
> >> does your setup look similar to this ^ ?
> Yes, my setup is like that.
>
>
> >
> > My relays are on the networks
> > 10.1
> > and 10.2
> >
> > This is a cable network so cm's will be served from 10.1 and 10.2
> > Due to equipment restrictions I require to use the dhcp giaddr of
> 10.1.x.1 and 10.2.x.2 for all the hosts
> > requesting a IP address.
>
>
> >> are these two subnets on the same physical broadcast zone ? or are the
> on separate VLANS ?
> Same physical broadcast zone no vlans.
>
>
>
> >
> > To solve this I created to shared networks
> > The cpe hosts in share net 1 work well no issues the cm's get online ok
> >
> > My problem is in the new equipment in share net 2 cm's get online well,
> > cpe's don't they allways get
> > DHCPDISCOVER from 00:14:2a:xc:xx:xc via x.x.x.x: unknown client
> >
> > My only way to distinct the hosts at this moment is
> > CM's have docsis vendor class and have a host { } declaration
> >
> > CPE's use de remote-id that's obtained from the relay
> >
> > I'm missing something in the config for the second shared-network or
> something is wrong
> >
> > Any sugestions ?
> >
> > Best regards,
> > FR
> >
>
> greetings
> post your dhcpd.conf file
>
> <Dhcpd.conf>
>
> ddns-update-style none;
> default-lease-time 1800;
> max-lease-time 7200;
> authoritative;
> log-facility local7;
> allow leasequery;
> ddns-updates off;
> deny duplicates;
> deny declines;
> deny client-updates;
> one-lease-per-client off;
> update-static-leases on;
> stash-agent-options true;
>
> class "online" {
> match option agent.remote-id;
> }
>
> include "/etc/dhcp3/online.conf";
> include "/etc/dhcp3/hostscm.conf";
> include "/etc/dhcp3/static.conf";
>
> class "CM" {
> # only match if first 6 chars of option 61 are docsis
> match if (substring(option vendor-class-identifier,0,6) = "docsis");
> spawn with hardware;
> }
>
> class "MTA" {
> match if (substring(option vendor-class-identifier,0,4) = "pktc");
> spawn with hardware;
> }
>
> class "Client" {
> match if ((substring(option vendor-class-identifier,0,6) != "docsis") and
> (substring(option vendor-class-identifier,0,4) != "pktc"));
> spawn with hardware;
> }
>
> class "c3" {
> match if binary-to-ascii(10, 16, "", substring( option agent.circuit-id,2
> ,2)) = "99";
> spawn with hardware;
> }
>
> if known {
> log (info, concat ("HOSTNAME: ", host-decl-name, " on ",binary-to-ascii
> (10, 8, ".", leased-address)," at ", binary-to-ascii (16, 8, ":", substring
> (hardware, 1, 6))));
> }
>
> on commit {
> set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
> set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1,
> 6));
> #set ClientRemoteId = binary-to-ascii(16, 8, ":", substring( option
> agent.remote-id, 2, 12));
> set ClientRemoteId = binary-to-ascii(16, 8, ":", option
> agent.remote-id);
> set Via = binary-to-ascii(10, 16, "", substring( option
> agent.circuit-id,2 ,2));
> log(concat("Commit: IP: ", ClientIP, " Mac: ", ClientMac,"
> RemoteID: ",
> ClientRemoteId, " Via:", Via
> ));
> execute("/etc/dhcp3/record.pl", "commit", ClientIP, ClientMac,
> ClientRemoteId);
> }
>
> shared-network share1
> {
> option domain-name "cpe.domain";
> option ntp-servers x.x.34.20, x.x.34.10;
> option domain-name-servers x.x.34.10;
> option time-servers x.x.34.20;
> default-lease-time 1800;
> max-lease-time 1800;
> option time-offset 0;
>
> subnet x.x.35.0 netmask 255.255.255.0 {
> allow unknown-clients;
> option routers x.x.35.1;
> pool {
>
> allow members of "online";
> deny members of "CM";
>
> range x.x.35.2 x.x.35.26;
> range x.x.35.28 x.x.35.254;
>
> }
> }
>
> subnet 10.1.0.0 netmask 255.255.0.0 {
> allow bootp;
> deny unknown-clients;
> default-lease-time 14400;
> max-lease-time 14400;
> option domain-name-servers x.x.34.20;
> option ntp-servers x.x.34.20;
> option time-servers x.x.34.20;
> option domain-name "cuda.cm.domain";
> option time-offset 0;
>
> option subnet-mask 255.255.0.0;
> option broadcast-address 10.1.255.255;
> option routers 10.1.0.1;
> option log-servers x.x.34.20;
> option tftp-server-name "x.x.34.20";
> next-server x.x.34.20;
> }
>
> subnet x.x.34.0 netmask 255.255.255.192 {
> # CORE NETWORK DONT TOUCH
> }
>
> subnet 192.168.0.0 netmask 255.255.0.0 {
> # CORE MANAGEMENT DONT TOUCH
> }
>
> }
>
> shared-network share-c3
> {
> option domain-name "c3.cpe.domain";
> option ntp-servers x.x.34.20, x.x.34.10;
> option domain-name-servers x.x.34.20, x.x.34.10;
> option time-servers x.x.34.20;
> default-lease-time 800;
> max-lease-time 800;
> option time-offset 0;
>
> subnet x.x.48.0 netmask 255.255.255.0 {
> default-lease-time 800;
> max-lease-time 800;
> allow unknown-clients;
> option routers x.x.48.1;
> pool {
> allow members of "online";
> range x.x.48.2 x.x.48.200;
> range x.x.48.201 x.x.48.254;
> }
> }
>
> subnet 10.2.0.0 netmask 255.255.0.0 {
> deny unknown-clients;
> allow bootp;
> default-lease-time 14400;
> max-lease-time 14400;
> option domain-name-servers 192.168.0.30;
> option domain-name "c3.cm.domain";
> option time-offset 0;
> option ntp-servers 192.168.0.30;
> option time-servers 192.168.0.30;
> option subnet-mask 255.255.0.0;
> option broadcast-address 10.2.255.255;
> option routers 10.2.0.1;
> option log-servers 192.168.0.30;
> option tftp-server-name "192.168.0.30";
> next-server 192.168.0.30;
>
> pool {
> allow members of "online";
> range 10.2.0.2 10.2.254.253;
> }
> }
> }
>
>
> I removed comments for better readability.
> Also If I place the network x.x.48.x inside share1 I get ip's delivered to
> it from network for example x.x.35.x
> regardless of setting the
> dhcp-giaddr to policy ; # making the relay agent use the gateway of
> x.x.48.1 instead of 10.2.0.1
> in the first equipment it looks like I can't specify the use of the normal
> network IP
>
> I tryed using circuit-id of the equipments to try to deny them from being
> delivered from some subnets of share1.
>
> Thank you for any help.
>
> Best regards,
> FR
>
>
> On Tue, Oct 11, 2011 at 3:54 PM, André <netriver at gmail.com> wrote:
>
>>
>> Hello,
>>
>> I'm running a dhcp server and recently I needed to add a second relay that
>> will connect to this server.
>>
>> My relays are on the networks
>> 10.1
>> and 10.2
>>
>> This is a cable network so cm's will be served from 10.1 and 10.2
>> Due to equipment restrictions I require to use the dhcp giaddr of 10.1.x.1
>> and 10.2.x.2 for all the hosts
>> requesting a IP address.
>>
>> To solve this I created to shared networks
>> The cpe hosts in share net 1 work well no issues the cm's get online ok
>>
>> My problem is in the new equipment in share net 2 cm's get online well,
>> cpe's don't they allways get
>> DHCPDISCOVER from 00:14:2a:xc:xx:xc via x.x.x.x: unknown client
>>
>> My only way to distinct the hosts at this moment is
>> CM's have docsis vendor class and have a host { } declaration
>>
>> CPE's use de remote-id that's obtained from the relay
>>
>> I'm missing something in the config for the second shared-network or
>> something is wrong
>>
>> Any sugestions ?
>>
>> Best regards,
>> FR
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20111011/8e55c890/attachment.html>
More information about the dhcp-users
mailing list