DHCP Failover questions

[Jason Frisvold]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

	We recently deployed a dual-server failover solution using ISC-DHCP.
Thus far, the system has been running pretty well, but we're seeing some
odd, unexpected behavior.

	According to the documentation, the "split" variable is used to specify
the split between primary and secondary server.  As I understand it,
when a DHCPDISCOVER comes in, the request is hashed (what's parts of the
request are used?) and based on the hash value, either the primary or
the secondary responds.  I would expect the hash to be identical for
each DHCPDISCOVER from the same host, correct?

	What we're seeing, however, is that both the primary and secondary
servers are responding.  And based on the nature of our network (each
switch has two connections to the core, routers are configured to
forward requests to both servers), this results in four offers being
sent to the remote client.  The client then chooses one (likely the
first that arrives) and goes through the process of acquiring the lease.

	What bothers us is that both servers are responding to the DHCPDISCOVER
packets coming in.  Why are the servers not honoring the split?  Are we
doing something wrong here?

	For completeness, here is some server information.  We're running dhcp
on a RHEL 5.4 xen host using the RHEL provided RPMS for dhcp.  According
to RPM, that means we're running version 3.0.5.  Our primary server is
configured as follows :

#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#
min-lease-time 3600;
max-lease-time 86400;
default-lease-time 86400;

allow bootp;
allow booting;

ddns-update-style ad-hoc;
ddns-updates off;

authoritative;

key OMAPI {
   algorithm hmac-md5;
   secret sooperseekritmd5hash;
};

omapi-port 7911;

failover peer "dhcp1" {
   primary;
   address 192.168.0.67;
   port 647;
   peer address 192.168.1.67;
   peer port 647;
   max-response-delay 60;
   max-unacked-updates 10;
   mclt 3600;
   split 128;
   load balance max seconds 3;
}

option domain-name "example.com";

include "/etc/dhcpd/dhcpd-primary.cfg";


And the secondary like this :


#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample
#
min-lease-time 3600;
max-lease-time 86400;
default-lease-time 86400;

allow bootp;
allow booting;

ddns-update-style ad-hoc;
ddns-updates off;

authoritative;

key OMAPI {
   algorithm hmac-md5;
   secret sooperseekritmd5hash;
};

omapi-port 7911;

failover peer "dhcp0" {
   secondary;
   address 192.168.1.67;
   port 647;
   peer address 192.167.0.67;
   peer port 647;
   max-response-delay 60;
   max-unacked-updates 10;
   mclt 3600;
   load balance max seconds 3;
}

option domain-name "example.com";

include "/etc/dhcpd/dhcpd-secondary.cfg";



The "include"ed file contains the subnets, ranges, statics, etc.  That's
all generated via a web front end.  An example of that configuration
from the primary server is as follows :

subnet 10.0.0.0 netmask 255.255.255.0 {
	option routers 10.0.0.1;
	option domain-name-servers 192.168.0.53 , 192.168.1.53;
	pool {
		deny dynamic bootp clients;
		failover peer "dhcp1";
		range 10.0.0.2 10.0.0.254;
	}
}

And the secondary is identical except for the failover peer name :

subnet 10.0.0.0 netmask 255.255.255.0 {
	option routers 10.0.0.1;
	option domain-name-servers 192.168.0.53 , 192.168.1.53;
	pool {
		deny dynamic bootp clients;
		failover peer "dhcp0";
		range 10.0.0.2 10.0.0.254;
	}
}


Any and all help is appreciated.  Thanks!

- -- 
- ---------------------------
Jason Frisvold
Network Engineer
frisvolj at lafayette.edu
- ---------------------------
"What I cannot create, I do not understand"
   - Richard Feynman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkr9iQQACgkQO80o6DJ8UvlZKACggX1Ql/lj+U2BMkxpHhSNXMVu
f0MAoJPjLCbC9g39GmZDF//xa3QXJHk0
=A7Qa
-----END PGP SIGNATURE-----