Multi-subnet/vlan and failover

Gregory Sloop gregs at sloop.net
Fri May 10 07:58:23 UTC 2013 

It might be, it is a test environment - but I didn't think I had
anything that whacked.

I'll do some more testing the next chance I get. Any other ideas are
more then welcome.

---
As for split - I generally intend for all requests to be handled by
the primary and only fail to the peer. [Fail-over only, no
load-balance]

I'm not sure if that's the best idea - but it seems more
straightforward. (Essentially my worry is if the blocks are split and
a peer goes down, could we run out of addresses in the block for the
"up" server before reclaiming them from the "down" server. I suspect
this worry is mostly because I don't fully grasp how it is handling
things, despite reading the docs - but not as carefully as I probably
need to do.)

[So, I assume a split of 255 would then make it do what I want, having
all requests served by the primary - instead of load-balance, right?]


-Greg


SC> Sounds like you have a leak in your network and broadcast packets are
SC> leaking from one VLAN into another.

SC> One other thing, is there a reason you are using "split 0;"? This
SC> would mean the secondary peer will answer all lease requests. For a
SC> balanced approach you should use 128 which will allow both DHCP
SC> servers to respond to lease requests.

SC> On 10 May 2013 08:19, Gregory Sloop <gregs at sloop.net> wrote:
>> As a follow-up, because it may well impact the answer to my duplicate
>> DHCPOFFER issue, let me describe how the DHCP servers are connected in
>> relation to VLANS etc.
>>
>> The DHCP Servers are on VLAN1, say 10.1.1.11/10.1.1.12 [master/peer]
>>
>> The L3 switch is configured to forward dhcp sessions to 10.1.1.11 and
>> 10.1.1.12
>>
>> ---
>> The duplicate messages are seen on DHCP negotiations from VLAN3 [and, I assume VLAN2]
>>
>> But I have not tested VLAN1 or VLAN2 attached clients to see what
>> happens on those VLANs.
>>
>> TIA for any assistance!
>>
>> -Greg
>>
>> GS> @Kyle
>> GS> Yes, that's it exactly. Thanks!
>>
>> GS> ---
>> GS> I did find a post about putting it in a pool block after posting
>> GS> my query, just about the time you posted your response - but
>> GS> hadn't had a chance to test it - so that's great. It now works.
>>
>> GS> BUT...
>> GS> When I run it, I see odd stuff [running dhcpd in -d -f
>> GS> debug/foreground mode]...
>>
>> GS> ---
>> GS> I see a pair of DHCPDISCOVERs
>>
>> GS> One from ETH0 and the other from the IP/DHCP helper on the L3 switch.
>> GS> i.e.
>> GS> DHCPDISCOVER from so:me:ma:ca:dd:rs on eth0
>> GS> DHCPDISCOVER from so:me:ma:ca:dd:rs on 10.1.2.1
>> GS> [This second one is the layer 3 switch, which is forwarding the DHCP session to the DHCP server]
>>
>> GS> Then dhcpd makes two offers - one on 10.1.1.X and one on 10.1.2.X
>> GS> Since the station isn't on the 10.1.1.X VLAN and *is* on the 10.1.2.X
>> GS> VLAN it "accepts" the 10.1.2.X address and it "works."
>>
>> GS> But I'm sure it's not supposed to be this way.
>> GS> [And I'm pretty sure I'm doing something obvious and perhaps
>> GS> stupid, but I just don't know where to look or what to try.]
>>
>> GS> How do I go about making it only see the forwarded DHCP session
>> GS> and not the one on eth0 [or some other option I'm simply not aware of...]
>>
>> GS> ---
>>
>> GS> -Greg
>>
>>
>> GS> Are you looking for something like this?
>>
>> GS> subnet 172.21.27.0 netmask 255.255.255.0 {
>> GS>   option subnet-mask 255.255.255.0;
>> GS>   option broadcast-address 172.21.27.255;
>> GS>   option routers 172.21.27.1;
>> GS>   ddns-domainname "example.com.";
>> GS>   option domain-search "example.com";
>> GS>   pool {
>> GS>     failover peer "dhcp-failover";
>> GS>     range 172.21.27.5 172.21.27.254;
>> GS>   }
>> GS> }
>>
>>
>> GS> On Thu, May 9, 2013 at 8:08 PM, Gregory Sloop <gregs at sloop.net> wrote:
>> GS> So, I've done a fair bit of reading and searching - and this general
>> GS> template is what I thought would work, but it doesn't.
>>
>> GS> Let me post the dhcp.conf file and then discuss what's wrong and ask
>> GS> for pointers.
>>
>> GS> ---
>> GS> authoritative;
>> GS> #ddns-update-style interim;
>> GS> ignore client-updates;
>> GS> #option host-name = config-option server.ddns-hostname;
>>
>> GS> #include "/etc/rndc.key";
>>
>> GS> option domain-name              "somedom.local";
>> GS> option domain-name-servers      10.1.1.190,10.1.2.1,10.1.1.17;
>> GS> option time-offset              -18000; # Pacific Standard Time
>> GS> option ntp-servers              10.1.1.14
>> GS> one-lease-per-client off;
>>
>> GS> #4 hour lease
>> GS> default-lease-time 14400;
>> GS> max-lease-time 14400;
>> GS> option ip-forwarding off;
>>
>> GS> failover peer "dhcp-failover" {
>> GS>   primary; # declare this to be the primary server
>> GS>   # Address if THIS dhcp server, or what address to listen ON
>> GS>   address 10.1.1.1;
>> GS>   port 647;
>> GS>   # Address of the DHCP fail-over peer.
>> GS>   peer address 10.1.1.2;
>> GS>   peer port 647;
>> GS>   max-response-delay 60;
>> GS>   max-unacked-updates 10;
>> GS>   #load balance max seconds 3;
>> GS>   mclt 3600;
>> GS>   split 0;
>> GS> }
>>
>> GS>     subnet 10.1.1.0 netmask 255.255.255.0 {
>> GS>         range 10.1.1.1 10.1.1.254;
>> GS>         option routers                  10.1.1.1;
>> GS>         option subnet-mask              255.255.255.0;
>> GS>         failover peer "dhcp-failover";
>> GS>     }
>>
>> GS>     subnet 10.1.2.0 netmask 255.255.255.0 {
>> GS>         range 10.1.2.1 10.1.2.254;
>> GS>         option routers                  10.1.2.1;
>> GS>         option subnet-mask              255.255.255.0;
>> GS>         failover peer "dhcp-failover";
>> GS>     }
>>
>> GS>     subnet 10.1.3.0 netmask 255.255.255.0 {
>> GS>         range 10.1.3.1 10.1.3.254;
>> GS>         option routers                  10.1.3.1;
>> GS>         option subnet-mask              255.255.255.0;
>> GS>         failover peer "dhcp-failover";
>> GS>     }
>>
>> GS> ---
>> GS> Now, I've disabled DDNS updates for simplicity sake. Once I get the
>> GS> multi-subnet/VLAN setup and failover working I'll add that back.
>>
>> GS> Perhaps that impacts things somehow, so if you'll keep that in mind,
>> GS> I'd appreciate it.
>>
>> GS> So, when I try this config I get an error saying that a failover needs
>> GS> to be inside a shared network block.
>>
>> GS> But if I do that, I've been told [read] that the DHCP server won't
>> GS> know how to assign the different subnets. [This would apply to a
>> GS> network where I wanted to share all the 10.1.1.1-10.1.3.254 as a
>> GS> single pool/block and assign any station any IP in the whole block.]
>>
>> GS> But I have a L3 switch and I want these assigned to each VLAN.
>>
>> GS> ---
>> GS> So, I setup the conf file without a shared-network and it works fine
>> GS> with the L3 DHCP helper/proxy. Clients on VLAN1 get 10.1.1.0 blocks
>> GS> and VLAN2 get 10.1.2.0 blocks etc.
>>
>> GS> So, with the "failover" block commented out, it works charmingly! Very
>> GS> cool!
>>
>> GS> ---
>> GS> But I *also* want to use failover.
>>
>> GS> And when I put in a fail-over outside a shared-network, it complains
>> GS> that it must be inside a shared network.
>>
>> GS> So, how to I use fail-over AND maintain the subnet grouping above?
>>
>> GS> ---
>> GS> I'll keep reading, but I've tinkered with this quite a bit and for the
>> GS> life of me, I can't see how one would go about it.
>>
>> GS> -Greg
>>
>>
>>
>> --
>> Gregory Sloop, Principal: Sloop Network & Computer Consulting
>> Voice: 503.251.0452 x82
>> EMail: gregs at sloop.net
>> http://www.sloop.net
>> ---
>>
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
SC> _______________________________________________
SC> dhcp-users mailing list
SC> dhcp-users at lists.isc.org
SC> https://lists.isc.org/mailman/listinfo/dhcp-users

-- 
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x82
EMail: gregs at sloop.net
http://www.sloop.net
---

More information about the dhcp-users mailing list