isc-dhcp 4.4.2-p1 shared-network confusion
Philippe Maechler
plcmaechler at gmail.com
Wed Jul 6 14:21:39 UTC 2022
Good Day dhcp-users
Today we had a little network hiccup which lead me to some confusion about
our dhcp configs
Should a shared-network config, have a subnet section in it?
how does the dhcpd knows fromm which shared-network the addresses are given
out? routing-table?
We have to following scenario:
DHCP Server running on a FreeBSD host, which has four network interfaces.
On the local network there is no dhcpd used, all dhcpd traffic is from
relay-agents
Networks directly on the server:
1.1.1.10/24 for management
2.2.2.10/24 for cpe
3.3.3.10/24 for voice
4.4.4.10/24 for iptv
(I think its easier to talk about 1.1.1.1 and 2.2.2.2 than 10.254.255.0/29
and so on)
The client networks 6, 7, 10 and 20 are all behind different relay-agents.
renewals from the clients where received on bce2 and the reply went out on
bce2
but the discovers from the relay agent arrived on interface bce2 (2.2.2.10)
and the replies went out on bce3 (3.3.3.10)
that was not a problem at all until today when a new firewall was deployed
which had no route/firewalled that traffic.
the problem was solved as soon as we installed the missing route for that
relay-agent.
but this made me thinking about the pool-selection. in our case, it's
mostly done by allow-statements
but for the shared-network part, shouldn't there be at least one physically
connected interface in the config?
The configuration dhcpd.conf network part is:
# define local networks and suppress an error/warning at startup
subnet 1.1.1.0 netmask 255.255.255.0 {
# no dhcpd service in this subnet
}
subnet 2.2.2.0 netmask 255.255.255.0 {
# no dhcpd service in this subnet
}
subnet 3.3.3.0 netmask 255.255.255.0 {
# no dhcpd service in this subnet
}
subnet 4.4.4.0 netmask 255.255.255.0 {
# no dhcpd service in this subnet
}
subnet 6.6.6.0 netmask 255.255.255.0 {
option routers 6.6.6.1;
option subnet-mask 255.255.255.0;
pool {
range 6.6.6.10 6.6.6.254;
allow members of "cpes";
deny dynamic bootp clients;
}
}
subnet 7.7.7.0 netmask 255.255.255.0 {
option routers 7.7.7.1;
option subnet-mask 255.255.255.0;
pool {
range 7.7.7.10 7.7.7.254;
allow members of "voice";
deny dynamic bootp clients;
}
}
shared-network “abc” {
subnet 10.1.1.0 netmask 255.255.255.0 {
option routers 10.1.0.1;
option subnet-mask 255.255.255.0;
pool {
range 10.1.0.10 10.1.0.254;
allow members of "iptv-group1";
deny dynamic bootp clients;
}
}
subnet 10.2.1.0 netmask 255.255.255.0 {
option routers 10.2.0.1;
option subnet-mask 255.255.255.0;
pool {
range 10.2.0.10 10.2.0.254;
allow members of "iptv-group1";
deny dynamic bootp clients;
}
}
}
shared-network “xyz” {
subnet 20.1.1.0 netmask 255.255.255.0 {
option routers 20.1.0.1;
option subnet-mask 255.255.255.0;
pool {
range 20.1.0.10 20.1.0.254;
allow members of "iptv-group2";
deny dynamic bootp clients;
}
}
subnet 20.2.1.0 netmask 255.255.255.0 {
option routers 20.2.0.1;
option subnet-mask 255.255.255.0;
pool {
range 20.2.0.10 20.2.0.254;
allow members of "iptv-group2";
deny dynamic bootp clients;
}
}
}
/BR
Philippe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20220706/9b90d157/attachment-0001.htm>
More information about the dhcp-users
mailing list