Using Option 82 To Differentiate IP Ranges within Same Subnet

Simon Hobson dhcp1 at thehobsons.co.uk
Thu Aug 23 19:21:41 UTC 2018


Pamuditha Abeysekara <pamuditha at n-able.biz> wrote:

> The reason behind this is to separate multiple routable network segments, I have to create different VLANs which is operationally difficult to manage.

I would strongly suggest you take another look at that - because what you are proposing won't be easy to administer either (especially when it goes wrong !) What sort of network is it ?
One issue you'll find is having an enormous broadcast domain - so in principle any device will be capable of sending a broadcast packet to every other device. The prevent that you'll have to put in place L2 filtering - but that would also break neighbour discovery and so you'd need to add ARP proxying to fix the breakage that the broadcast filtering causes.
And presumably you'll also have to have L2 filtering (alongside DHCP snooping) to prevent devices (I'm guessing that this is a public access network) spoofing another address. If this fails then the scope for spoofing is network wide - whilst in a routed network it's restricted to a single subnet.

> In this case do I have something similar to else statement. If all the if statements failed can I define default IP pool to issue client IPs. ? 

AFAIK there is no "match if the client isn't in any other class" type of construct, so you can't have a pool with 'allow members of "everything else"'. What you'd need to do is have a pool for "everything else", with something like :

pool {
  deny members of "clients1";
  deny members of "clients2";
  ...
  deny members of "clientsnnn";
  range ...
}

So plenty of scope for mistakes to creep in there - anything not listed in a deny statement will be allowed. You'll probably have to machine generate the config, and by the time you've done that, you may find it's as much work as building a proper network.

Plus, if something isn't working properly, then all you'll see in the logs is "no free leases" which really means "I have no lease that the config allows me to offer to this client". You then start having to figure out what class the client should match to, and then why it's not matching - good luck !



More information about the dhcp-users mailing list