Need Help DHCP Server

Simon Hobson dhcp1 at thehobsons.co.uk
Mon Mar 18 12:15:02 UTC 2013


Prabhpal S. Mavi wrote:
>> Once you have above working you might want to get rid of all the vlan
>> interfaces you have on the server.  A single network on the server is
>> enough.
>
>Sir, i use VLANs because the DHCP request from the client is going to come
>with VLAN tag. if i remove VLANs, i doubt that request would not reach to
>the server. But can it create problem ? if so, i need to think again that
>how to do it.

Like many tasks, there are different ways to do it, each having different pros and cons.

I'm assuming there is a switch between the 5 cisco routers and the Linux server. Are the interfaces between this switch and the routers tagged or untagged. Put another way, does the switch untag the VLAN 10 packets and send them to the top router untagged, os is the top router configured to use VLAN 10 natively ?
Also, are these routers you have full control over, or are they owned/managed by a third party (such as the customer) ? It makes a difference as security is a consideration.

If you manage the routers and they are reasonably secure, then you could just make a flat network (no VLANs between the Cisco routers and the Linux router). Just pick a subnet and give each router an individual IP address.
On the other hand, if this part of the network isn't secure, then using VLANs as you are gives you a level of security - in that a customer cannot "hijack" another customer's IP address (whether maliciously or accidentally, it does happen).
There are also pros and cons both ways should you want to pass out the IP address of the Cisco routers by DHCP in the future - though I suggest you get your basic setup working before you start considering that.


While discussing security, you still have the issue that you rely on each relay agent providing the correct GI Addr. If this gets misconfigured (again, can be accidental or malicious) then you will find your server giving out IP adderesses from the wrong pool.  In principal they won't work (the routing won't send any return packets to the incorrectly configured devices), but it would allow a device to exhaust the pool of another customer (creating a denial of service).
That may be a sufficient reason to run separate DHCP server instances (one per customer, each on a different VLAN), but that is a decision for you to take based on your needs, how well you think you can manage the extra complication, and what you percieve the risk level to be.

There is a "right answer", only a "right answer for you".

>> Just configure 192.168.90.1 for the server ip and have all relays relay to
>> this same address.  Remember to add the empty subnet for 192.168.90.0/24
>> when doing so.
>
>
>
>Like this right ?
>subnet 192.168.90.1 netmask 255.255.255.0 {
>}

Yes.
But do remember that all clients must be able to exchange unicast packets with the server at this address - ie there must be routing in place both ways. I'm assuming your Linux server is also the router (so will be the default gateway for each of the Cisco routers) so this shouldn't be a problem.


More information about the dhcp-users mailing list