Logically isolated VPNs with MPLS - Centralized DHCP
Glenn Satchell
glenn.satchell at uniq.com.au
Wed Nov 2 14:28:19 UTC 2011
Those values are binary, not ascii characters. So you definitely need
the 02:0c:... format rather than "020c...".
As it is truncated, you can either look at the hex dump of the packet
and get the rest of the values, or test a sub-string.
I've not used wireshark in a long time, but it looks like it is breaking
out the agent-id for you, so you'd test it using
substring(option agent.remote-id, 0, 8) = 02:0c:02:0a:00:00:0a:20;
See man dhcp-eval for expressions.
If you need to work out how to break out the value you seein wireshark,
then the dhcp-options man page has some information under VENDOR
ENCAPSULATED OPTIONS. Each option consists of the option number, the
length, then the values making the option, followed by the next sub-option.
If 02:0c:02:0a:00:00:0a:20 is the string then the first sub-option is 2,
length 0c (12) and the next 12 bytes would be the value. You'll need to
see the whole value to work out the rest.
regards,
-glenn
On 11/03/11 00:49, Ronald F. Tallman wrote:
>
> Thanks for the response(s).
>
> Actually I have had the following in the config as well(somehow dropped it
> in sending to the DL):
>
> subnet 10.200.17.0 netmask 255.255.255.0 {}
> subnet 10.32.0.0 netmask 255.255.255.0 {}
>
> However, no luck with it in the config or not.
>
> In the option 82 packet - Wireshark shows:
>
> Value 020c020a00000a20...... truncated
> Remote Agent ID 020c020a00000a20....truncated
>
> I'm trying to ascertain how much and/or which hex value maps to the
> circuit-id or agent-id or?
>
> This config would grow to have multiple isolated VPNs - none of them could
> communicate with each other - But all would make the dhcp request through
> the router relay agent.
>
>
>
> -----Original Message-----
> From: dhcp-users-bounces+ronthu=comcast.net at lists.isc.org
> [mailto:dhcp-users-bounces+ronthu=comcast.net at lists.isc.org] On Behalf Of
> Glenn Satchell
> Sent: Monday, October 31, 2011 9:51 PM
> To: Users of ISC DHCP
> Subject: RE: Logically isolated VPNs with MPLS - Centralized DHCP
>
> It's saying "network LabNet: no free leases", and there is only one pool
> in that shared subnet. This means that it is not matching the wifi-dev
> class, since the allow means deny everything else.
>
> My best guess is that the circuit-id is not matching correctly. The string
> "020c020a00000a20" is an ascii string containing the chars 0, 2, 0, c and
> so on. If you want it to match a binary string, then you should use
>
> match if circuit-id = 02:0c:02:0a:00:00:0a:20;
>
> You can use a packet sniffer like wireshark or tcpdump on your dhcp server
> to see what is coming in from the client.
>
> regards,
> -glenn
>
>> This one is fairly easy, if this is the entire config file.
>>
>> The lease origin 10.32.0.22 isn't a member of either of the subnet
>> declarations in your configuration. You need to write a subnet
>> declaration matching that network.
>>
>> ====================
>> Scott Stone<scott_stone at trendmicro.com>
>> Manager, DCS-RD
>> Trend Micro, Inc. http://www.trendmicro.com
>>
>>
>> -----Original Message-----
>> From: dhcp-users-bounces+scott_stone=trendmicro.com at lists.isc.org
>> [mailto:dhcp-users-bounces+scott_stone=trendmicro.com at lists.isc.org] On
>> Behalf Of Ronald F. Tallman
>> Sent: Monday, October 31, 2011 8:29 PM
>> To: 'Users of ISC DHCP'
>> Subject: RE: Logically isolated VPNs with MPLS - Centralized DHCP
>>
>> It is a minimal config:
>>
>>
>> stash-agent-options true;
>>
>> shared-network LabNet {
>>
>> # LABNET Wireless Class
>> class "wifi-dev" {
>> match if option agent.circuit-id="020c020a00000a20";
>> lease limit 10;
>> }
>>
>> subnet 10.200.17.0 netmask 255.255.255.0 {}
>>
>> #Create a new pool for each class.
>> subnet 10.32.166.0 netmask 255.255.255.0 {
>> option routers 10.32.166.1;
>> option broadcast-address 10.32.166.255;
>> pool {
>> allow members of "wifi-dev";
>> range 10.32.166.44 10.32.166.53;
>> }
>>
>> The only thing from the logs:
>>
>> Oct 23 22:48:23 sea-securid-1 last message repeated 5 times
>> Oct 23 22:53:49 sea-securid-1 dhcpd: [ID 702911 local7.error] DHCPDISCOVER
>> from 5c:26:0a:1b:58:bb via 10.32.0.22: network LabNet: no free leas
>> es
>> Oct 23 22:55:16 sea-securid-1 last message repeated 7 times
>> Oct 23 23:00:37 sea-securid-1 dhcpd: [ID 702911 local7.error] DHCPDISCOVER
>> from 5c:26:0a:1b:58:bb via 10.32.0.22: network LabNet: no free leas
>> es
>>
>> ---------------
>> The 10.32.166.1 interface is in the VRF on the same router 10.32.0.22
>> That has the relay agent.
>> The 10.200.17.0 subnet is where central DHCP server lives.
>>
>> -----Original Message-----
>> From: dhcp-users-bounces+ronthu=comcast.net at lists.isc.org
>> [mailto:dhcp-users-bounces+ronthu=comcast.net at lists.isc.org] On Behalf Of
>> Simon Hobson
>> Sent: Monday, October 31, 2011 9:26 AM
>> To: Users of ISC DHCP
>> Subject: Re: Logically isolated VPNs with MPLS - Centralized DHCP
>>
>> Ronald F. Tallman wrote:
>>> Looking for a centralized DHCP solution that supports the following:
>>>
>>> . Numerous VPNs isolated with MPLS -
>>> Therefore isolated/separated subnets.
>>> . Clients dispatch DHCP request
>>> . Cisco router/relay agent forwards
>>> request to centralized DHCP server to management
>>> subnet
>>
>> The ISC package will handle that - it doesn't
>> really care how the packet gets to it. But bear
>> in mind that you will need to have unique subnet
>> addresses across the entire network served by a
>> single DHCP server.
>>
>>> . Presently DHCP server recognizes
>>> forwarded request but will not serve IP as it's
>>> sourced from "Unknown Subnet"
>>>
>>> . The subnet is actively provisioned in the DHCP server
>>> configuration
>>
>> Then you'd best post the relevant parts of the config and logs.
>>
>> --
>> Simon Hobson
>>
>> Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
>> author Gladys Hobson. Novels - poetry - short stories - ideal as
>> Christmas stocking fillers. Some available as e-books.
>> _______________________________________________
More information about the dhcp-users
mailing list