DHCP Management Across a Diversified Network? 100
ET Admin writes "I work for a small Wireless ISP, where we are deploying new network hardware to allow for growth and contain broadcast traffic. All routing/switching equipment is Cisco. We use Linux stand-alone boxes and VMs (running on Win 2003 boxes). We have decided on a hybrid VLAN layout where we have certain VLANs limited by location, and other VLANs that are global across the network. And I want DHCP served across it all. Does anyone have experience with IPAM software that handles multiple DHCP servers? Our network is small so spending a couple grand is overkill at this point. Any recomendations to help me decide between serving DHCP from the Nix boxes, or from the Cisco gear? Knowing that a single DHCP server will handle from 100-500 hosts."
DHCP Relaying (Score:5, Informative)
setup DHCP Relaying on the switches to forward/relay all dhcp request across the vlans and subnets to one (or two) dhcp servers
Re:DHCP Relaying (Score:4, Informative)
Done in one. You can even train ISC DHCP to give out different pools based on the primary IP address of the gateway for a particular VLAN. At that point all you have to worry about are keeping the pools "fed".
Re:DHCP Relaying (Score:5, Informative)
Or two dhcp servers. Just in case the path to the first dhcp server is unavailable
http://www.madboa.com/geek/dhcp-failover/ [madboa.com]
Re:DHCP Relaying (Score:5, Informative)
DHCP Relay Agent in Cisco Routers
Cisco Routers support DHCP Relay Agents with ip helper-address command. To enable the ip helper-address on an interface that will receive client BOOTP/DHCP broadcasts.
From the Global configuration mode,
Router(config)# interface fa 0/0
Router(config-if)# ip helper-addres 10.10.10.1
Router(config-if)# ip helper-addres 10.10.10.2
Re: (Score:2, Interesting)
Re:DHCP Relaying (Score:4, Informative)
One of my main goals in this design is to limit broadcasts outside of each subnet, and ip helper obviously punches a hole in that philosophy.
ip helper doesn't forward as broadcasts. When the router on the host's segment detects the broadcast DHCP request, it forwards it directly to the next hop (just like any router does with a non-broadcast packet).
Re: (Score:1)
We're using ip helper forwarding to two ISC dhcp3 servers (on linux) with a load balance / failover setup. Works just dandy for a few thousand users and 200+ subnets.
Separate pools and subnets per vlan and all that stuff, of course. I'm sure there are howtos on the web..
Re: (Score:2)
Re: (Score:3, Informative)
This is definitely the way to go. If for some reason you cannot do this (as was once the case for me*), you can set up a PC on the network segment to act as a DHCP relay (the ISC DHCP distribution comes with a relay agent). On a network where we had more control, we set up a tunnel between the routers to forward the DHCP packets.
* The network involved military encryption devices which could not be configured to forward broadcast packets. I put together a Linux system that booted from a floppy, used arping t
I have the solution you need... (Score:4, Informative)
http://lmgtfy.com/?q=cisco+dhcp+relay&l=1 [lmgtfy.com]
You can easily run hundreds of thousands of hosts off a single DHCP server. It is not cpu intensive particularly if you have a decent lease duration.
Re: (Score:3, Interesting)
Re: (Score:2)
We have about 1400 regular hosts and a large migrant (student notebook) population. ie. more hosts than IPs so we have a much shorty lease time (30 minutes I think) and dhcp relay. The machine is bored to tears. Not sure of the 100-500 hosts line in the post.
Re: (Score:2)
I'll do better than that. ~10 years ago I visited the racks of a major cable internet provider in the Netherlands. There stood a lonely old Pentium 3 tower, in fading brown/beige colors, between the fancy rackmounted Cisco equipment, providing DHCP for a ~750,000 resident area in which that provider was basically the monopoly for cable internet.
True story.
Re: (Score:2)
That probably worked just fine, too.
Constrast that to the horror story I found at an ISP. I was the manager of the technical staff (servers and network) at a medium-sized ISP that went through a rash of acquisitions before being acquired itself. One ISP we bought had a Pentium 133 in an AT desktop case with 256 megabytes of RAM. It ran NT 4, and it did pretty much everything but offer the network ports. It was serving primary and secondary RADIUS for auth and logging. It did primary and secondary DNS, both
Re:I have the solution you need... (Score:5, Informative)
Also, here's a small sample config for serving a particular pool on a particular interface (which would be the vlan "interface" on the Cisco), easily found on Google:
class "vlan1234"
{
match if
(
(binary-to-ascii(16, 8, ".", option agent.remote-id) = "0.15.63.ab.52.16") # This is the MAC of the switch
and
(binary-to-ascii (10,8, ".", option agent.circuit-id) = "0.0.0.47") # This is the interface number
);
}
pool {
range 192.168.100.5 192.168.100.254;
max-lease-time 300;
option subnet-mask 255.255.255.0;
option routers 192.168.100.1;
allow members of "vlan1234";
}
Re: (Score:3, Insightful)
It's interesting because lmgtfy is as much about knowing waht to google as to google it. Oftne if I ask a dumb quesiton, all I need are google keywords.
Re: (Score:1, Funny)
It's interesting because lmgtfy is as much about knowing waht to google as to google it. Oftne if I ask a dumb quesiton, all I need are google keywords.
http://lmgtfy.com/?q=English+spelling+and+grammar+lessons [lmgtfy.com]
Re: (Score:2)
Even better, run it from a [open]solaris zone.
phpdhcpadmin (Score:3, Informative)
Someone in house here created it, and we use it across multiple vlans from a Gentoo box. It uses the ISC DHCPD server.
http://phpdhcpadmin.sourceforge.net
Re: (Score:1)
Go IPV6 and leave DHCP in the dust (Score:2, Interesting)
DHCP not used in IPV6 protocol
Re: (Score:2)
4294967296 addresses should be enough for anyone.
Re:Go IPV6 and leave DHCP in the dust (Score:5, Informative)
Re: (Score:2, Funny)
Re: (Score:1)
There's always DHCPv6.
Re: (Score:2)
And the 'transparent proxy' solution will break everything except HTTP, most notably, HTTPS.
You can communicate with IPv6 hosts from an IPv4 address (via 6to4 encapsulation).
But you cannot communicate with IPv4-only hosts using an IPv6 address without a proxy.
Re: (Score:3, Insightful)
Yeah, because as a wireless ISP you can totally require your clients to support IPv6. Wait, no, that's not right.
Use the Unix/Linux boxes.... (Score:5, Interesting)
With using Unix/Linux you can setup failover servers so that if one does not respond, the other will take over the requests and that way you will not lose DHCP across your entire network due to hardware/software issues on a single system. Go read up on dhcpd, it is not too difficult to understand, and is really probably your best low cost solution.
Re: (Score:1)
Agreed. ISC dhcpd is so trivial to setup, and places hardly any load on the system at all, that I don't use why you wouldn't use it in that case. I've personally ran dhcpd servers serving 1,000 nodes or more without a lick of trouble running on old PCs that were just lying around. We had a couple of failover servers on each VLAN and ultimately we never had any DHCP downtime, ever. Well, actually we did once, but that's because the POS Cisco switch the DHCP servers were plugged into totally failed for re
Use the Unix/Linux boxes Luke.... (Score:2)
Fixed your title for you.
You need Cisco gear (Score:3, Interesting)
You need to use DHCP snooping to block rogue DHCP servers and block packets with forged MAC addresses on untrusted interfaces
You need IP source guard to block forced IP addresses on untrusted interfaces
Otherwise, you are at risk of DOS and/or compromise from malicious users, and at risk of instability and insanity caused by users who plug a rogue DHCP server (even something as simple as the LAN side of a Linksys gateway) into your gear.
Re: (Score:1, Interesting)
You can do this with Procurve too... and Enterasys.
Don't be a crony ;)
Re: (Score:2)
Re: (Score:2)
Why the hell should he buy new equipment? He's already got Cisco, and Cisco does it.
Man, do you normally buy new gear that does exactly what your current gear does, just because the new gear has a cheaper price tag on it? What a complete waste of money.
You sound like a project manager for my company, only they usually go from less expensive perfectly capable current equipment to more expensive less capable new equipment.
PM: "We need "
Engineer: "Why?"
PM: "Because, it does X, Y, and Z, and we need that!"
E: "
Re: (Score:2)
Damn my lack of previewing!!
The missing information is, from top to bottom:
"new expensive product A"
and
"older currently installed less expensive but more functional product B"
Kudos if you find where the second goes, it might not be blatantly obvious at first. ;)
Re: (Score:3, Insightful)
That's not an absolute. You should use VLAN segmentation (and possibly private VLANs) to separate untrusted networks.
That way if there is a rogue DHCP server, its effects are isolated to the untrusted LAN it came from.
The L2 filtering features you are thinking of are actually inadequate to stop a sophisticated attacker, because those features can be defeated, or don't address all possible Layer 2 spoofing and traffic hijacking tricks.
Re: (Score:1)
DNSMasq (Score:4, Informative)
Nice answer Slashdotters. (Score:5, Insightful)
Re:Nice answer Slashdotters. (Score:5, Insightful)
You sound like the idiot, for not realizing that people get stuck with jobs all the time for which they have not been fully trained. For myself, I'm an engineer who was asked to 'setup your own lab'. I'm not an IT type, I'm an electrical engineer specializing in circuit design. Yet, I've been handed the job of configuring 40 linux servers, DNS, DHCP, Cisco switches, multiple VLANs, and so forth simply because 'there's no one else to do it and no one is hiring anyone'. Sure, my company might be cheap for not providing IT services for my lab, but they're on a budget and extra employees are expensive. Only when the expense of having me configure my own DHCP services exceeds the expense of hiring someone to do it for me will they consider hiring someone external. And only then if they know the new hire will be used elsewhere.
So guess what? This guy's question is exactly the kind of information I can use to help me overcome my own problems. Ask Slashdot seems to be doing its job quite nicely in this respect.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
I'll echo everybody else.... (Score:1)
Re: (Score:2, Interesting)
Hey, wait, VMware server's still an option for production servers. Several years ago, it was a commercial product called VMware GSX server.
"Small wireless ISP" doesn't exactly strike me as the type of user, who would be deploying an Oracle RAC cluster with a load of 10k transactions per second, and an Exchange 2007 server with 5000 mailboxes, processing 10 messages per second.
GSX was the version for production servers in a small environment. ESX was the high-end uber-expensive version for running massi
Re: (Score:2)
Re: (Score:1)
My opinion of ESXi is it's great, but you really need VMotion with it, because (among other things) ESXi seems more prone to instability of the management interface, mainly because it has fewer allocated resources.
Well, i've seen the ESXi "thin management interface" running out of memory, such that the VI client could barely connect, and such, it's not fun, and requires a reboot of the machine, since there's no proper console to SSH in on. I've had unique instability issues with ESXi. And also been hit by
Re: (Score:2)
Re: (Score:1)
for 100-500 leases, i would set it up on the cisco boxes.... also ensures the zero cost approach which always makes management happy.
Re: (Score:1)
Re: (Score:1)
Some VLAN's globally??? (Score:1, Informative)
I don't know enough about your environment but hopefully you know that that isn't a possibility across Layer 3 devices (and when I say VLAN's, I assume that you are talking about an IP segment and not just a VLAN number). That said the "ip dhcp helper" or DHCP relay I think is what you are looking for. This way you can have 1 DHCP server serving numerous VLAN's or L3 IP segments. If you have more specific questions feel free to reach out to me.
Carl Fugate
carl@iprouteradmin.com
BLOG: www.iprouteradmin.com
R
Re: (Score:1)
Re: (Score:3, Funny)
I get the strong impression you might be in way over your head with less than 3 years experience. You're asking about implement technologies which you don't fully understand yet. The risk here is that you might get a solution that works, but it will be horribly insecure.
VLANS are layer 2. Subnetting is at the layer three level and normally coincidence with the layer 2 vlans you create (but not always). While you can have vlans spread across large regions, you defeat most of the benefits of using a vl
Re: (Score:1)
Re: (Score:1)
Just use your existing gear (Score:2)
Using one or two of your Win2003 boxes, create multiple DHCP scopes for your multiple networks/subnets. Then just use the "ip helper-address" on your cisco gear to allow the DHCP requests to make it to your servers. Done. I do this at my company with 50+ VLANs.
Cost = $0.
CNR (Score:2)
Support? (Score:1)
I have to ask, who will be monitoring and supporting this architecture?
Re: (Score:1)
Re: (Score:1)
I meant 24/7 type monitoring ... ie: some system bites the dust, etc.
Re: (Score:1)
Carnegie Mellon's NetReg (Score:3, Informative)
Rather then just repeating what I've said before when the subject of IP Address Management came up on slashdot, I'll just link to it [slashdot.org].
Note: While the project has been pretty quiet for quite some time now, thats mostly because its the system is very stable and there hasn't been a lot of major new development in the last couple of years. I used to be one of the core developers of the system before I moved on to another job, but its still in active use by many sites.
Weird-Solutions. (Score:2)
I would have a look at http://www.weird-solutions.com/ [weird-solutions.com]
They produce some cutting edge DHCP and provisioning software for amongst others the ISP market. Furthermore their staff are incredibly knowledgeable.
OpenNetAdmin (Score:1)
As many people here have suggested, ISC DHCP server has no trouble with this and can handle many subnets and pool combinations from one or more servers. Then with the combination of ip helper-address on Cisco platforms you can control which server(s) handle the network. Throw DHCP-Failover into the mix and make it redundant.
To manage all this I'd suggest OpenNetAdmin [opennetadmin.com]. It is geared to manage as any IPAM would, your address space. It can also be instructed to manage mult