[Kea-users] Can't get KEA to work here - VLAN issues

Jonis Maurin Ceara jonis at fearp.usp.br
Fri May 20 11:33:40 UTC 2016


Thanks Tomek! 

VLAN in linux are worked by kernel modules, so if Kea uses raw sockets, probabily VLAN is marked/worked AFTER Kea. I still not 100% sure, but my guess is that Kea was receiving all packets at least two times, one for each interface. After that config change, everything is working. 
About IP on interface, I don't have this problem, since my subnet for each interface has the same IP range for hosts and server. 

Jonis Maurin Ceará 
Analista de Sistemas 
FEA-RP 
Help Desk +55 (16) 3315-3898 
Audiovisual +55 (16) 3315-3927 
Desenv. Sistemas +55 (16) 3315-4485 
Infraestrutura +55 (16) 3315-8539 / 0672 
Atendimento Web: http://suporte.fearp.usp.br 

----- Mensagem original -----

> De: "Tomek Mrugalski" <tomasz at isc.org>
> Para: "Jonis Maurin Ceara" <jonis at fearp.usp.br>
> Cc: kea-users at lists.isc.org
> Enviadas: Sexta-feira, 20 de Maio de 2016 6:33:01
> Assunto: Re: [Kea-users] Can't get KEA to work here - VLAN issues

> On 19.05.2016 19:29, Jonis Maurin Ceara wrote:
> > Actually, I need some explanations from experts....
> > DHCP works on Layer 2? And VLAN's, works on layer 2 too?
> I don't have much experience with VLANs, so not sure if what I have
> for
> you would be useful or not. DHCPv4 component of Kea by default uses
> raw
> sockets. This means that it dissects incoming packets on its own. One
> side effect is that raw sockets receive packets before kernel stack
> processes it. In particular, iptables are not effective and Kea would
> receive the traffic, even if iptables drop it. I do not know how VLAN
> support is implemented in Linux kernel, but I presume it may be
> similar.

> > This is what I have:
> > One VM with only one interface.....this interface has VLAN 227 as
> > untagged and a lot of other VLAN"s tagged, including VLAN 209
> > On OS of this VM (CentOS 7), I have two interfaces:
> >
> > eth0 => 'normal interface', configured with static IP and nothing
> > related to VLAN. Untagged VLAN = 227, but receives a lot of other
> > tagged
> > VLAN's. network-id = 1025 for this IP range/VLAN
> > eth0.209 => interface configured with VLAN ID 209. Network-id =
> > 1024
> > for this range/VLAN.
> >
> > In Kea configuration, I had:
> > */"interfaces-config": {/*
> > */ "interfaces": [ "eth0", "eth0.209" ]/*
> > */ },/*
> > and nothing more.
> > The 'problem' is that Kea is seeing more traffic on eth0....I mean,
> > Kea
> > is receiving DHCP requests from ALL other VLAN's that is tagged,
> > even if
> > my linux is not configured for these VLAN's. So I'm guessing that
> > Kea is
> > intercepting DHCP packages before my linux could 'ignore' these
> > tagged
> > packets on eth0 (I could see this on log with debug). Since my VLAN
> > 209
> > came untagged to interface eth0.209 and tagged to interface eth0, I
> > think Kea is guetting crazy with same packet on both network cards
> > and
> > subnets.
> >
> > I have added 'interface' to specific subnetworks and It's working
> > for now.
> That's good to hear. So is Kea doing what you wanted it to do?

> I'm afraid that any improvements for VLAN are out of scope for the
> current 1.1 milestone. So you'll have to work with what is there in
> the
> code now. However, there are couple things you may possibly find
> useful.

> 1. You can switch Kea to use UDP sockets rather than raw sockets.
> This
> should work great if you have relays, but may be not optimal if you
> have
> directly connected clients. See Section 7.2.4 of the User's Guide for
> details (the parameter name is dhcp-socket-type).

> 2. You mentioned using interface parameter in subnet definition. This
> is
> working in Kea 1.0, but has some flaws. In particular, it will not
> work
> if your IP address on the interface does not match the subnet range.
> This has been improved recently. If you're interested, the code is
> currently available on trac4308 branch. You can get it from github.
> It will be on master branch soon. With this change, only the
> interface
> name has to match, not the addresses configured on it. You may give
> it a
> try if you experience problems with the interface selection in the
> 1.0 code.

> Hope that helps,
> Tomek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20160520/57aad06c/attachment-0001.html>


More information about the Kea-users mailing list