Option 82 or subnet: who wins?
David McGaughey
mcgoy1 at clearwire.net
Tue Mar 17 02:19:57 UTC 2009
Greetings! Thank you all very much for your kind help. I wish I had the
time to reply to all, but like you all I work in IT and so I do understand
just how precious is your time.
> So it's host statement, class, pool, subnet, shared-network.
This order, clearly documented, I guess I never read with understanding. I
simply went with my intuition, which is:
Broadcast domain of client, shared-network, subnet, pool, class or host
(wash).
You state:
> Moving the class definition outside the subnet definition means that
> the class won't have a router or netmask (or other values from that
> subnet) as inherited values. These values can then be picked up from
> the lower precedent subnet. Ususally this is what you want and is why
> the usual thing is to put class definitions in the global scope.
Of all the help and tutoring that you all have provided, this is the most
unexpected statement of them all. I realize that scope may be placed into a
class so that it might be inherited within a match. But to have the class
acquire scope from where it is declared is - unexpected to me. I can't read
it in the man page. I see some hint there "Each of these declarations
itself appear within a lexical scope..." But that's a pretty big jump (in my
mind) to picking up scope from lexical context. Look at this class
definition:
class "ms_rm116_sw2650_hp1.0.17"
{
match if (
option agent.remote-id = 0:1d:b3:1f:c2:80
and
option agent.circuit-id = 0:11
);
}
It's a global class definition having nothing to do with subnet or even
client MAC. Why would lexical context attach scope baggage to it?
Evidently - it just does. My only reason for placing the class definitions
into the subnet context was to have it close to the pool that would consume
it - for debugging: HA!
Ok, here is the reconstructed dhcpd.conf:
option domain-name "ci.lubbock.tx.us";
option domain-name-servers 10.2.1.254, 10.2.1.253, 10.2.1.7;
default-lease-time 259200;
max-lease-time 259200;
ddns-update-style none; ddns-updates off;
authoritative;
class "ms_rm116_sw2650_hp1.0.17"
{
match if (
option agent.remote-id = 0:1d:b3:1f:c2:80
and
option agent.circuit-id = 0:11
);
}
subnet 172.25.254.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 172.25.254.255;
option routers 172.25.254.1;
pool {
range 172.25.254.47 172.25.254.49;
allow members of "ms_rm116_sw2650_hp1.0.17";
}
}
subnet 192.168.50.0 netmask 255.255.254.0 {
pool {
option broadcast-address 192.168.51.255;
option routers 192.168.50.1;
option subnet-mask 255.255.254.0;
default-lease-time 14400;
max-lease-time 14400;
range 192.168.51.1;
}
}
Here is the result of vlan with 192.168.50.0/23 broadcast domain:
C:\>ipconfig /release
Windows IP Configuration
IP Address for adapter Local Area Connection 2 has already been released.
C:\>ipconfig /renew
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : ci.lubbock.tx.us
IP Address. . . . . . . . . . . . : 192.168.51.1
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 192.168.50.1
This was done with port 17 in the 192.168.50.0/23 broadcast domain.
Swinging it into the 172.25.254.0/24 domain AND bring option 82 into play:
C:\>ipconfig /release
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\>ipconfig /renew
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : ci.lubbock.tx.us
IP Address. . . . . . . . . . . . : 172.25.254.47
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.25.254.1
C:\>ipconfig /release
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\>ipconfig /renew
Windows IP Configuration
An error occurred while renewing interface Local Area Connection 2 : Access
is d
enied.
C:\>ipconfig /release
Windows IP Configuration
IP Address for adapter Local Area Connection 2 has already been released.
C:\>ipconfig /renew
Windows IP Configuration
An error occurred while renewing interface Local Area Connection 2 : Access
is d
enied.
C:\>ipconfig /release
Windows IP Configuration
IP Address for adapter Local Area Connection 2 has already been released.
C:\>ipconfig /renew
Windows IP Configuration
An error occurred while renewing interface Local Area Connection 2 : Access
is d
enied.
Notice the subsequent "Access is denied." Lease renewals. The bad news is
that this is my previous problem. The good news is that Friday last this is
not the result that I got on the release renews and I've not been able to
recreate that. I blew all that away last Friday moving on to testing
pulling the classes out of the subnets. Didn't save the exact config and I
must just chalk that up to some mistake that I made. I can describe to you
what I saw: Instead of the access deined, I got the next lease in the pool
until all three where exhausted: *.47, *.48, and *.49. After that I got a
mixed lease from both pools. The ip from the 192 and the rest from the 172.
Was pretty sure I could get back there, but could not. My apologies!
You all have a really good understanding of what goes on here with dhcpd.
If you could tell my why I can't renew a lease when the 82 options come into
play - well - I would buy that expensive t-shirt.
Thanks again to everyone!
David McGaughey
Lubbock, Texas
mcgoy at plumbearcat.com
(806)438-7363
-----Original Message-----
From: dhcp-users-bounces at lists.isc.org
[mailto:dhcp-users-bounces at lists.isc.org] On Behalf Of Glenn Satchell
Sent: Saturday, March 14, 2009 6:33 PM
To: dhcp-users at lists.isc.org
Subject: RE: Option 82 or subnet: who wins?
Hi David
This paragraph from the dhcpd.conf man page describes the precedence:
When a client is to be booted, its boot parameters are
determined by consulting that client's host declaration (if
any), and then consulting any class declarations matching
the client, followed by the pool, subnet and shared-network
declarations for the IP address assigned to the client.
Each of these declarations itself appears within a lexical
scope, and all declarations at less specific lexical scopes
are also consulted for client option declarations. Scopes
are never considered twice, and if parameters are declared
in more than one scope, the parameter declared in the most
specific scope is the one that is used.
So it's host statement, class, pool, subnet, shared-network.
In this case the subnet mask and router are being inherited via the
class defined in the 172.x subnet, and the IP address from the pool in
the other subnet.
Moving the class definition outside the subnet definition means that
the class won't have a router or netmask (or other values from that
subnet) as inherited values. These values can then be picked up from
the lower precedent subnet. Ususally this is what you want and is why
the usual thing is to put class definitions in the global scope.
I'm not sure what's going on, but I'm suspecting a port
misconfiguration perhaps. If you plug into a switch port that is
configured for the 172.25.254.0 vlan then that subnet definition is
used. If you plug into a port that is configured for the 192.168.50.0
vlan then that subnet definition comes into play. dhcpd looks at the
relay giaddr field (the ip address of the interface on the relay where
the request came in) to determine the subnet. Or if no relay (that is a
local subnet), then the dhcp server uses the ip address of its
interface where the request came in.
dhcpd won't assign a 192.268.50.0 address if it believes that the
device is on the 172.25.254.0 subnet.
Can you pleae post the ipconfig /all output and dhcpd.conf with the
calss moved outside the subnet definition?
regards,
-glenn
>From: David McGaughey <mcgoy1 at clearwire.net>
>To: "'Austin Gabel'" <agabel at gmail.com>, "'Users of ISC DHCP'"
<dhcp-users at lists.isc.org>
>Subject: RE: Option 82 or subnet: who wins?
>Date: Sat, 14 Mar 2009 10:37:00 -0500
>Importance: Normal
>X-BeenThere: dhcp-users at lists.isc.org
>
> Guess that I am confused about what "global" means for a class. If it
means
> all class definitions are global, then by definition, it should not matter
> in what other context they are defined. An example would be global
> variables in PERL. If global means that classes may only be defined in a
> global context, then I'm really surprised that dhcpd didn't complain about
> it not being so!
>
>
>
> My problem is not for a shared network. It's two separate vlans
(networks)
> on a single switch, each with their own subnet definition. These two
> network definitions have two different dhcp definitions. One where the
> pools are based not just on originating network subnet, but also on option
> 82. The other dhcp definition is just based on subnet. What I observe is
> that the leases are combining information from both definitions to clients
> who should not be using option 82 - based on the subnet (vlan) which their
> port is a member of on the switch. That is to say, from the network their
> request is coming from.
>
>
>
> Rearranging the class definitions into a global context did not fully
> resolve the issue. It just looks like a bug to me - subnet should win -
> every time! And information from different lease subnets should never be
> mixed in a client's lease.
>
>
>
> David <http://mcgoy.plumbearcat.com/> McGaughey
>
> Lubbock, Texas
>
> mcgoy at plumbearcat.com
>
> (806)438-7363
>
>
>
> -----Original Message-----
> From: Austin Gabel [mailto:agabel at gmail.com]
> Sent: Friday, March 13, 2009 2:11 PM
> To: mcgoy at plumbearcat.com; Users of ISC DHCP
> Subject: Re: Option 82 or subnet: who wins?
>
>
>
> Class declarations are global. Take it out of the subnet declaration. If
> these two subnets are on the same vlan they should be in a
'shared-network'
> declaration. The class should also be outside of this shared network. Then
> put a deny members of "ms_rm116_sw2650_hp1.0.17"; option in the
192.168.50.0
> network.
>
>
>
>
> On Fri, Mar 13, 2009 at 11:56 AM, David McGaughey <mcgoy1 at clearwire.net>
> wrote:
>
> Greetings list! And my apology if I've missed this somewhere in my
> googling. I've a situation where I have an option 82 definition for a
port
> on a switch and a separate subnet definition. If I plug my client into the
> switch port which has the class definition for a subnet AND I plug my dhcp
> server into the switch port next to my client - same vlan - then I get a
> mixture of the leases from both subnet definitions. It would be nice to
get
> one or the other, and not a mixture of both. Here's the config file:
>
>
>
> option domain-name "ci.lubbock.tx.us";
>
> option domain-name-servers 10.2.1.254, 10.2.1.253, 10.2.1.7;
>
> default-lease-time 259200;
>
> max-lease-time 259200;
>
> ddns-update-style none; ddns-updates off;
>
> authoritative;
>
> subnet 172.25.254.0 netmask 255.255.255.0 {
>
> option subnet-mask 255.255.255.0;
>
> option broadcast-address 172.25.254.255;
>
> option routers 172.25.254.1;
>
> class "ms_rm116_sw2650_hp1.0.17"
>
> {
>
> match if (
>
> option agent.remote-id = 0:1d:b3:1f:c2:80
>
> and
>
> option agent.circuit-id = 0:11
>
> );
>
> }
>
> pool {
>
> range 172.25.254.47 172.25.254.49;
>
> allow members of "ms_rm116_sw2650_hp1.0.17";
>
> }
>
> }
>
> subnet 192.168.50.0 netmask 255.255.254.0 {
>
> pool {
>
> option broadcast-address 192.168.51.255;
>
> option routers 192.168.50.1;
>
> option subnet-mask 255.255.254.0;
>
> default-lease-time 14400;
>
> max-lease-time 14400;
>
> range 192.168.51.1 192.168.51.254;
>
> }
>
> }
>
>
>
> Here's what the client (ipconfig /all) got:
>
>
>
>
>
> Windows IP Configuration
>
>
>
> Host Name . . . . . . . . . . . . : WXPITIMAGE03c
>
> Primary Dns Suffix . . . . . . . :
>
> Node Type . . . . . . . . . . . . : Unknown
>
> IP Routing Enabled. . . . . . . . : No
>
> WINS Proxy Enabled. . . . . . . . : No
>
> DNS Suffix Search List. . . . . . : ci.lubbock.tx.us
>
>
>
> Ethernet adapter Local Area Connection 2:
>
>
>
> Connection-specific DNS Suffix . : ci.lubbock.tx.us
>
> Description . . . . . . . . . . . : VMware Accelerated AMD PCNet
> Adapter
>
> Physical Address. . . . . . . . . : 00-50-56-0F-0F-12
>
> Dhcp Enabled. . . . . . . . . . . : Yes
>
> Autoconfiguration Enabled . . . . : Yes
>
> IP Address. . . . . . . . . . . . : 192.168.51.4
>
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
>
> Default Gateway . . . . . . . . . : 172.25.254.1
>
> DHCP Server . . . . . . . . . . . : 192.168.50.2
>
> DNS Servers . . . . . . . . . . . : 10.2.1.254
>
> 10.2.1.253
>
> 10.2.1.7
>
> Lease Obtained. . . . . . . . . . : Friday, March 13, 2009
11:43:21
> AM
>
> Lease Expires . . . . . . . . . . : Friday, March 13, 2009 3:43:21
> PM
>
>
>
> Note that the IP Address comes from the second subnet, which happens to be
> that of the DHCP server, but the netmask and the router come from the
FIRST
> subnet definition.
>
>
>
> Neither subnet is winning now. Should one of them be the "winner" and
> assign all its information to the client?
>
>
>
> David <http://mcgoy.plumbearcat.com/> McGaughey
>
> Lubbock, Texas
>
> mcgoy at plumbearcat.com
>
> (806)438-7363
>
>
>
>
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
>
_______________________________________________
dhcp-users mailing list
dhcp-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list