Configuring option 82

Sten Carlsen stenc at s-carlsen.dk
Fri Sep 27 14:21:41 UTC 2019



On 27/09/2019 15.59, Surya Teja wrote:
> Hi Bill,
> Do you have 40,000 clients?
> Yes some times the dhcp client traffic reaches nearly 40-50k in my
> environment.
> What is you goal here?  
> I want to avoid the untrusted dhcp clients to request the server and
> fill up the leases, So I went through internet and found that option
> 82 can be a similar functionality.
> Link I checked
> for: https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=009391&lang=EN 
>
This example has a few problems:
It defines classes inside the subnet, this is not a good idea. Keep
declarations global.
It does not prevent unknown-clients from getting an IP from any of the
pools, it is missing the deny unknown-clients; statement.
allow members of                "VLAN10";        denies other classes
but does not deny unknown-clients as you seem to want.
>  The set up is similar to my environment using relay agents to forward
> the packets I want to replicate the setup in my environment. The
> adobe techniques is like authenticating the requests and then granting IP
>
>
>   
>
> On Fri, Sep 27, 2019 at 6:55 PM Bill Shirley
> <bill at c3po.polymerindustries.biz
> <mailto:bill at c3po.polymerindustries.biz>> wrote:
>
>     Yeah, I had found that web page too.  But note later on that page
>     he states about his patch:
>     This has been tested on a Xeon 2.8 Ghz server, it uses just a few
>     percent of CPU with 40.000 DHCP clients.
>     Do you have 40,000 clients?
>
>     I use many classes in my DHCP configurations on 15+ servers.  I
>     haven't had a problem
>     with DHCP eating up all the resources.
>
>     What is you goal here?  Are you wanting to assign a fixed address
>     for each client?
>
>     Bill
>
>     On 9/27/2019 7:32 AM, Surya Teja wrote:
>>     Hi Bill Thanks for reply
>>     Why are you avoiding the class statement?  
>>     In one of the google forum I have read the statement saying like 
>>     The internal implementation in ISC DHCPD of classes is such that
>>     it scales in a non-linar way - O(N^2) or something. So suddenly
>>     you'll end up with dhcpd eating 100% CPU.
>>     So I just want to avoid the classes 
>>     While surfing I found that for the host declaration statements we
>>     can use the syntax like 
>>     EX: host client-name-1 {
>>     		*host-identifier option agent.circuit-id "dslam42.port22";*
>>     		hardware ethernet 00:e0:4c:a7:ca:de;
>>     		fixed-address 192.168.0.6;
>>     	}
>>      So I just want to know any config statements similar like above
>>     applies for scope sections
>>
>>     What does the agent.circuit-id and agent.remote-id contain? I
>>     can't figure out why you're using substring on these values (in
>>     your original post).
>>     It is just sample example I found in the forum, I don't have
>>     issue with directly checking without using the substring function
>>     or binary-to-ascii to cross check the values 
>>
>>     Thanks
>>      
>>
>>     On Fri, Sep 27, 2019 at 4:06 PM Bill Shirley
>>     <bill at c3po.polymerindustries.biz
>>     <mailto:bill at c3po.polymerindustries.biz>> wrote:
>>
>>         Options in a pool are options to be *sent* not matched.
>>
>>         Why are you avoiding the class statement? What does the
>>         agent.circuit-id and agent.remote-id contain?
>>         I can't figure out why you're using substring on these values
>>         (in your original post).
>>
>>         Bill
>>
>>         On 9/27/2019 3:44 AM, Surya Teja wrote:
>>>         Hi 
>>>         It might be too many questions but I wan to configure my
>>>         dhcpd configuration file by avoiding the classes as much as
>>>         possible
>>>         If the subnet is configured as like below snippet 
>>>         subnet 192.168.10.0 netmask 255.255.255.0 {  
>>>           pool {  
>>>                  range   192.168.10.10 192.168.10.199;  
>>>                 option subnet-mask 255.255.255.0;
>>>                 option routers 10.1.10.1;
>>>                 option domain-name "test.com <http://test.com>";
>>>                 option agent.circuit-id "22";
>>>                 option agent.remote-id "192.168.10.242";
>>>           } 
>>>         }
>>>         can we achieve the option 82 configuration setup with above
>>>         snippet
>>>          Thanks in advance and or if any reference links to setup
>>>         the option 82 functionality without class can also be
>>>         appreciated
>>>
>>>         On Thu, Sep 26, 2019 at 7:42 PM Surya Teja
>>>         <suryateja042 at gmail.com <mailto:suryateja042 at gmail.com>> wrote:
>>>
>>>             Hi is the option 82 supported by using class concept
>>>             only ? 
>>>             or can it be defined as other general options like
>>>             domain-name server, router in scope section ?
>>>
>>>             On Tue, Sep 24, 2019 at 12:49 PM Surya Teja
>>>             <suryateja042 at gmail.com <mailto:suryateja042 at gmail.com>>
>>>             wrote:
>>>
>>>                 Hi, 
>>>                 I am trying to configure the dhcp option 82, went
>>>                 through the google forums and one of it suggest the
>>>                 syntax like
>>>                 # vim /etc/dhcp/dhcpd.conf
>>>                 ########################################################
>>>                 log-facility local7;
>>>                 *class "VLAN10" {
>>>                         match if
>>>                 binary-to-ascii(10,16,"",substring(option
>>>                 agent.circuit-id,2,2)) = "10";
>>>                 } # VLAN10
>>>                 class "VLAN20" {
>>>                          match if ( substring(option
>>>                 agent.remote-id,2,15)="10.5.20.4"
>>>                 and binary-to-ascii(10, 16, "",substring(option
>>>                 agent.circuit-id, 4, 2)) = "2" );
>>>                 }*
>>>                 subnet 192.168.10.0 netmask 255.255.255.0 {
>>>                         pool {
>>>                                 *allow members of              
>>>                  "VLAN10";*
>>>                                 default-lease-time               600;
>>>                                 max-lease-time                    7200;
>>>                                 range                          
>>>                 192.168.10.1 192.168.10.199;
>>>                                 option routers                
>>>                  192.168.10.254;
>>>                                 option broadcast-address      
>>>                  192.168.10.255;
>>>                                 option subnet-mask            
>>>                  255.255.255.0;
>>>                                 option domain-name-servers      4.2.2.2;
>>>                 }
>>>                 }
>>>                 subnet 192.168.20.0 netmask 255.255.255.0 {
>>>                         pool {
>>>                        *allow members of                "VLAN20";*
>>>                         default-lease-time              600;
>>>                         max-lease-time                  7200;
>>>                         range                          
>>>                 192.168.20.20 192.168.20.199;
>>>                         option routers                  192.168.20.254;
>>>                         option broadcast-address        192.168.20.255;
>>>                         option subnet-mask              255.255.255.0;
>>>                         option domain-name-servers      4.2.2.2;
>>>
>>>                 }
>>>                 (Just ignore ip values)
>>>                 can we configure this concept only by using classes
>>>                 and make it allow or deny like that?
>>>                 or can we use the option space concept to get it
>>>                 worked(do we have any other syntax). Thanks in advance
>>>
>>>
>>>         _______________________________________________
>>>         dhcp-users mailing list
>>>         dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>>>         https://lists.isc.org/mailman/listinfo/dhcp-users
>>         _______________________________________________
>>         dhcp-users mailing list
>>         dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>>         https://lists.isc.org/mailman/listinfo/dhcp-users
>>
>>
>>     _______________________________________________
>>     dhcp-users mailing list
>>     dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>>     https://lists.isc.org/mailman/listinfo/dhcp-users
>     _______________________________________________
>     dhcp-users mailing list
>     dhcp-users at lists.isc.org <mailto:dhcp-users at lists.isc.org>
>     https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20190927/345b7eae/attachment-0001.html>


More information about the dhcp-users mailing list