VLANS and DHCP

David W. Hankins David_Hankins at isc.org
Fri Aug 18 21:31:49 UTC 2006 

On Fri, Aug 18, 2006 at 09:37:20AM -0500, Allie M Hopkins wrote:
> whatever equivalent on your FC5 machine.  You can see the interfaces with
> ifconfig and can control them just like any other interface.
> 
> I had to do this for one portion of our setup behind a firewall since the
> pix didn't pass dhcp requests like a normal router.

The trouble with attaching the DHCP server directly to a large
number of 802.1q VLANs only really gets noticed by substantially
large networks with lots of inter-network roaming.

I actually had a very annoyed College campus systems administrator
email me a patch that - although it solved this problem for him -
actually made it so all packets got via DHCP relays would be
NAK'd for being on the wrong network.  Needless to say, I was
not able to incorporate his changes.

I hate trying to describe this problem, primarily because it's an
amazing maze of twisty passages, but also because it's longer and
longer now since I've dealt with this problem that the details have
become more and more fuzzy.

Take one part 802.1q VLAN, mixed well with a single hardware device's
ethernet address (the server has the same link layer address on all
networks because of the 802.1q vlan'd virtual interfaces), and add one
part of an ISC DHCP server that sometimes gets confused about the
difference between clients in RENEW state and clients in REBIND state
(so it errs on the RENEW side which is usually safer).  Shake well,
and the clients that roam between VLANs get ACKed.


So, separating the ISC DHCP server from the VLANs with relays (even
ISC dhcrelay) is preferrable to directly attaching vlans.

Fixing this admitted flaw in ISC DHCP is going to mean architecture
changes in the IO system.  Sadly, they won't be in 3.1.0.

-- 
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DDNS & DHCP.  Email training at isc.org.
-- 
David W. Hankins	"If you don't do it right the first time,
Software Engineer		you'll just have to do it again."
Internet Systems Consortium, Inc.	-- Jack T. Hankins

More information about the dhcp-users mailing list