DHCP option 82 usage problem , shared switchport Blade+BMC

Simon Hobson dhcp1 at thehobsons.co.uk
Wed Oct 15 13:20:47 UTC 2014 

LARPENT Jacques <jacques.larpent at altran.com> wrote:

> The blade enclosures are uplinked to switch acting as layer 3 router between the different VLANs/subnet deployed inside the enclosures (typically a VLAN for blade NICs and another for the BMCs).

...

> The classes are designed to match :   remote_id AND circuit_id AND vendor-class-identifier   to identify a client.
> 
> I precise that considering constraint #1 I have to check the vendor-class-identifier to make the difference between a blade  or its BMC.

You have VLANs, you can use the inbuilt mechanisms !

> examples for blade n°11 and its BMC plugged on switchport n°11:
> 
> class "BMC11" {
>                 match if ( substring (option agent.remote-id, 0 , 7) = "switch1" and
>                          ( binary-to-ascii (10, 16, ".", substring(option agent.circuit-id, 1, 4)) ="11") and
>                          ( substring (option vendor-class-identifier, 0, 6) = "iamBMC"));
>              }
> 
>         pool {
>                 allow members of "BMC11";
>                 range 10.0.0.11;
>              }
> 
> class "blade11" {
>                 match if ( substring (option agent.remote-id, 0 , 7) = "switch1" and
>                          ( binary-to-ascii (10, 16, ".", substring(option agent.circuit-id, 1, 4)) ="11") and not
>                          ( substring (option vendor-class-identifier, 0, 6) = "iamBMC"));
>              }
> 
>         pool {
>                 allow members of "blade11";
>                         range 12.0.0.11;
>                 filename "ipxelinux.0";
> 
>              }

OK, how about this :
class "Unit11" {
                match if ( substring (option agent.remote-id, 0 , 7) = "switch1" and
                         ( substring(option agent.circuit-id, 1, 4)) = 00:00:00:0b );
             }
This will get both the BMC and blade for the unit.

        pool {
                allow members of "Unit11";
                range 10.0.0.11;
             }

        pool {
                allow members of "Unit11";
                        range 12.0.0.11;
                filename "ipxelinux.0";

             }

Note several key things :
1) The pool declarations **MUST** be within the correct subnet. You haven't shown the subnet declarations and your layout of declarations shown above would not be valid for more than one unit !
So something like this
  subnet 10.0.0.0 ... {
    pool {
      allow members of "Unit11";
      range 10.0.0.11;
    }
    pool {
      allow members of "Unit12";
      range 10.0.0.12;
    }
  }
  subnet 12.0.0.0 ... {
    pool {
      allow members of "Unit11";
      range 12.0.0.11;
      filename "ipxelinux.0";
    }
    pool {
      allow members of "Unit12";
      range 12.0.0.12;
      filename "ipxelinux.0";
    }
  }

2) *IF* you have everything all setup correctly, then the above will work automagically. Requests from the BMCs will arrive on a VLAN where the gateway address is within the same subnet as the 10.0.0.nn addresses, while requests from the blades will arrive on a VLAN where the gateway address is within the 12.0.0.nn subnet. If this doesn't work then your network setup is broken.

3) Dunno whether it's an attempt at obfuscation or if you are genuinely using 12.0.0.0 addresses, but they are allocated to AT&T. DO yourself a favour and stick to RFC1918 addresses which are specifically reserved for private use.

4) You can save server load by not converting a string to ascii before comparing it with something you can specify directly.

More information about the dhcp-users mailing list