Need Help DHCP Server

Prabhpal S. Mavi prabhpal at digital-infotech.net
Mon Mar 18 15:57:21 UTC 2013 

Thanks Dear Simon Hobson,

You came long way with my problem, thanks for all your assistance and
valuable tips & information, greatly greatly appreciated.

you have helped ma a lot, i do not expect any thing more than this,
enough. By your help, it has almost worked. DHCP server can give ip
address out other than the subnet configured on the physical/logical
interfaces. Originally, that is what i asked the help for, from the
community.

Since you wish to know how VLANs are connected, i will explain for you.
It is a implementation of wireless ISP, where we have 68 host spots across
the city. The current implementation of hotspots is being handle by a
commercial product that is very much highly UN reliable. i was asked to
look in to open source world to build up a reliable solution as
replacement to existing (commercial one).

i implemented FreeRadius 2.2 + CoovaChillii 1.3 + MySQL 5x + Daloradius
for Voucher managements for the host spot. This (DHCP) was the last task
on the checklist (requirements). Where everything was working smooth
(Implementation was tested with single DHCP environment) i was almost
stack on this DHCP issue. which you guys helped. It is yet remaining to be
done on Cisco side but Linux server "isc-dhcp" daemon started alright.
Project was more than i detailed here controlling hotspot users using
Freeradius AAA Server.

Connectivity:
Clients in the hotspot --> Connected to indoor AP (Access Point) -->
Switch  --> Router --> Mast - Telecom Poll  --> (VLAN Packets Tagging)
Microwave Radio Link to Our Data Center --> ISP HO Access Point --> Core
Switch (VLANs) --> DHCP Server.

I will arrange the replies of this discussion and post back to the list
with marked "RESOLVED" for the archives, when done. so that it will help
other as well.

Grate Thanks to Simon Hobson
Grate Thanks to Christian Kratzer

Regards / Prabhpal

> Prabhpal S. Mavi wrote:
>>> Once you have above working you might want to get rid of all the vlan
>>> interfaces you have on the server.  A single network on the server is
>>> enough.
>>
>>Sir, i use VLANs because the DHCP request from the client is going to
>> come
>>with VLAN tag. if i remove VLANs, i doubt that request would not reach to
>>the server. But can it create problem ? if so, i need to think again that
>>how to do it.
>
> Like many tasks, there are different ways to do it, each having different
> pros and cons.
>
> I'm assuming there is a switch between the 5 cisco routers and the Linux
> server. Are the interfaces between this switch and the routers tagged or
> untagged. Put another way, does the switch untag the VLAN 10 packets and
> send them to the top router untagged, os is the top router configured to
> use VLAN 10 natively ?
> Also, are these routers you have full control over, or are they
> owned/managed by a third party (such as the customer) ? It makes a
> difference as security is a consideration.
>
> If you manage the routers and they are reasonably secure, then you could
> just make a flat network (no VLANs between the Cisco routers and the Linux
> router). Just pick a subnet and give each router an individual IP address.
> On the other hand, if this part of the network isn't secure, then using
> VLANs as you are gives you a level of security - in that a customer cannot
> "hijack" another customer's IP address (whether maliciously or
> accidentally, it does happen).
> There are also pros and cons both ways should you want to pass out the IP
> address of the Cisco routers by DHCP in the future - though I suggest you
> get your basic setup working before you start considering that.
>
>
> While discussing security, you still have the issue that you rely on each
> relay agent providing the correct GI Addr. If this gets misconfigured
> (again, can be accidental or malicious) then you will find your server
> giving out IP adderesses from the wrong pool.  In principal they won't
> work (the routing won't send any return packets to the incorrectly
> configured devices), but it would allow a device to exhaust the pool of
> another customer (creating a denial of service).
> That may be a sufficient reason to run separate DHCP server instances (one
> per customer, each on a different VLAN), but that is a decision for you to
> take based on your needs, how well you think you can manage the extra
> complication, and what you percieve the risk level to be.
>
> There is a "right answer", only a "right answer for you".
>
>>> Just configure 192.168.90.1 for the server ip and have all relays relay
>>> to
>>> this same address.  Remember to add the empty subnet for
>>> 192.168.90.0/24
>>> when doing so.
>>
>>
>>
>>Like this right ?
>>subnet 192.168.90.1 netmask 255.255.255.0 {
>>}
>
> Yes.
> But do remember that all clients must be able to exchange unicast packets
> with the server at this address - ie there must be routing in place both
> ways. I'm assuming your Linux server is also the router (so will be the
> default gateway for each of the Cisco routers) so this shouldn't be a
> problem.
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list