Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHCP Management Across a Diversified Network?

Posted by timothy on from the send-that-packet-that-way dept.

ET Admin writes "I work for a small Wireless ISP, where we are deploying new network hardware to allow for growth and contain broadcast traffic. All routing/switching equipment is Cisco. We use Linux stand-alone boxes and VMs (running on Win 2003 boxes). We have decided on a hybrid VLAN layout where we have certain VLANs limited by location, and other VLANs that are global across the network. And I want DHCP served across it all. Does anyone have experience with IPAM software that handles multiple DHCP servers? Our network is small so spending a couple grand is overkill at this point. Any recomendations to help me decide between serving DHCP from the Nix boxes, or from the Cisco gear? Knowing that a single DHCP server will handle from 100-500 hosts."

24 of 100 comments (clear)

  1. DHCP Relaying by Anonymous Coward · · Score: 5, Informative

    setup DHCP Relaying on the switches to forward/relay all dhcp request across the vlans and subnets to one (or two) dhcp servers

    1. Re:DHCP Relaying by TaliesinWI · · Score: 3, Informative

      Done in one. You can even train ISC DHCP to give out different pools based on the primary IP address of the gateway for a particular VLAN. At that point all you have to worry about are keeping the pools "fed".

    2. Re:DHCP Relaying by Anonymous Coward · · Score: 5, Informative

      DHCP Relay Agent in Cisco Routers

      Cisco Routers support DHCP Relay Agents with ip helper-address command. To enable the ip helper-address on an interface that will receive client BOOTP/DHCP broadcasts.

      From the Global configuration mode,

      Router(config)# interface fa 0/0

      Router(config-if)# ip helper-addres 10.10.10.1

      Router(config-if)# ip helper-addres 10.10.10.2

    3. Re:DHCP Relaying by cr0nj0b · · Score: 5, Informative

      Or two dhcp servers. Just in case the path to the first dhcp server is unavailable

      http://www.madboa.com/geek/dhcp-failover/

    4. Re:DHCP Relaying by Curien · · Score: 2, Informative

      This is definitely the way to go. If for some reason you cannot do this (as was once the case for me*), you can set up a PC on the network segment to act as a DHCP relay (the ISC DHCP distribution comes with a relay agent). On a network where we had more control, we set up a tunnel between the routers to forward the DHCP packets.

      * The network involved military encryption devices which could not be configured to forward broadcast packets. I put together a Linux system that booted from a floppy, used arping to figure out the IP address of the router (to determine which network segment it was on), read a config file from the floppy that contained the segment-specific settings, and started the dhcrelay process. Since the system ran entirely from a ramdisk, the security office allowed us to leave it on even when the area was secured.

      --
      It's always a long day... 86400 doesn't fit into a short.
    5. Re:DHCP Relaying by ET+Admin · · Score: 2, Interesting

      I am definitely leaning this way. I currently have 2 hosts on the new network, and I just set them up as DHCP pools on the cisco gear to get them up and running, which got me looking at the capabilities of the Cisco gear. DHCP databases served via TFTP to all the field routers (3550's serving DHCP) was the other option I was looking at, but using ip helper to point to a central linux box sure seems easier. One of my main goals in this design is to limit broadcasts outside of each subnet, and ip helper obviously punches a hole in that philosophy. I can, and I will limit the protocols that ip helper transfers. I am thrilled to be getting all these suggestions and other ideas. Thanks

    6. Re:DHCP Relaying by Curien · · Score: 3, Informative

      One of my main goals in this design is to limit broadcasts outside of each subnet, and ip helper obviously punches a hole in that philosophy.

      ip helper doesn't forward as broadcasts. When the router on the host's segment detects the broadcast DHCP request, it forwards it directly to the next hop (just like any router does with a non-broadcast packet).

      --
      It's always a long day... 86400 doesn't fit into a short.
  2. I have the solution you need... by poptix_work · · Score: 3, Informative

    http://lmgtfy.com/?q=cisco+dhcp+relay&l=1

    You can easily run hundreds of thousands of hosts off a single DHCP server. It is not cpu intensive particularly if you have a decent lease duration.

    --
    Just because you disagree doesn't make it offtopic or flamebait.
    1. Re:I have the solution you need... by rmadmin · · Score: 2, Interesting

      I concur.. I have over 2000 hosts covered with my DHCP server, 24 hour lease, the server never breaks 0.00 loads. We also use DHCP-Relay in about 5 places across the network. Its tasty :)

      --


      Can all fish swim?
    2. Re:I have the solution you need... by poptix_work · · Score: 5, Informative

      Also, here's a small sample config for serving a particular pool on a particular interface (which would be the vlan "interface" on the Cisco), easily found on Google:

      class "vlan1234"
      {
                      match if
                      (
                                      (binary-to-ascii(16, 8, ".", option agent.remote-id) = "0.15.63.ab.52.16") # This is the MAC of the switch
                                      and
                                      (binary-to-ascii (10,8, ".", option agent.circuit-id) = "0.0.0.47") # This is the interface number
                      );
      }

      pool {
                      range 192.168.100.5 192.168.100.254;
                      max-lease-time 300;

                      option subnet-mask 255.255.255.0;
                      option routers 192.168.100.1;
                      allow members of "vlan1234";
      }

      --
      Just because you disagree doesn't make it offtopic or flamebait.
    3. Re:I have the solution you need... by calmofthestorm · · Score: 2, Insightful

      It's interesting because lmgtfy is as much about knowing waht to google as to google it. Oftne if I ask a dumb quesiton, all I need are google keywords.

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  3. phpdhcpadmin by Anonymous Coward · · Score: 3, Informative

    Someone in house here created it, and we use it across multiple vlans from a Gentoo box. It uses the ISC DHCPD server.

    http://phpdhcpadmin.sourceforge.net

  4. Use the Unix/Linux boxes.... by Fallen+Kell · · Score: 5, Interesting

    Seriously, do not use the Cisco gear to handle the DHCP. There are several ways to handle this, either have a system with an interface on all the networks, or setup your Cisco gear to forward the HDCP requests to the one subnet that does have your system.

    With using Unix/Linux you can setup failover servers so that if one does not respond, the other will take over the requests and that way you will not lose DHCP across your entire network due to hardware/software issues on a single system. Go read up on dhcpd, it is not too difficult to understand, and is really probably your best low cost solution.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  5. You need Cisco gear by Anonymous Coward · · Score: 3, Interesting

    You need to use DHCP snooping to block rogue DHCP servers and block packets with forged MAC addresses on untrusted interfaces

    You need IP source guard to block forced IP addresses on untrusted interfaces

    Otherwise, you are at risk of DOS and/or compromise from malicious users, and at risk of instability and insanity caused by users who plug a rogue DHCP server (even something as simple as the LAN side of a Linksys gateway) into your gear.

    1. Re:You need Cisco gear by mysidia · · Score: 3, Insightful

      That's not an absolute. You should use VLAN segmentation (and possibly private VLANs) to separate untrusted networks.

      That way if there is a rogue DHCP server, its effects are isolated to the untrusted LAN it came from.

      The L2 filtering features you are thinking of are actually inadequate to stop a sophisticated attacker, because those features can be defeated, or don't address all possible Layer 2 spoofing and traffic hijacking tricks.

  6. Re:Go IPV6 and leave DHCP in the dust by Imagix · · Score: 4, Informative

    Ahem... never heard of RFC 3315? DHCPv6 still has a place in an IPv6 network.

  7. DNSMasq by TheRealMindChild · · Score: 3, Informative

    DNSMasq. Nuff said.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  8. Nice answer Slashdotters. by bluephone · · Score: 5, Insightful

    To everyone who tagged this "domyjobforme", I hope every single one of you gets the same response the next time you ask for help doing you job. At least this guy had the sense to say, "Hey, there's a community of people that contains a multitude of experts in many fields, I bet someone might have some good suggestions." And guess what else? Maybe some readers will find the suggestions helpful too. Ask Slashdot is for questions that the general community might find interesting and helpful, not just one guy. It's not just about the submitter, and it's certainly not about your need to be snide to those who recognize their shortcomings and try to expand their base of knowledge.

    --
    jX [ Make everything as simple as possible, but no simpler. - Einstein ]
    1. Re:Nice answer Slashdotters. by Anonymous Coward · · Score: 5, Insightful

      You sound like the idiot, for not realizing that people get stuck with jobs all the time for which they have not been fully trained. For myself, I'm an engineer who was asked to 'setup your own lab'. I'm not an IT type, I'm an electrical engineer specializing in circuit design. Yet, I've been handed the job of configuring 40 linux servers, DNS, DHCP, Cisco switches, multiple VLANs, and so forth simply because 'there's no one else to do it and no one is hiring anyone'. Sure, my company might be cheap for not providing IT services for my lab, but they're on a budget and extra employees are expensive. Only when the expense of having me configure my own DHCP services exceeds the expense of hiring someone to do it for me will they consider hiring someone external. And only then if they know the new hire will be used elsewhere.

      So guess what? This guy's question is exactly the kind of information I can use to help me overcome my own problems. Ask Slashdot seems to be doing its job quite nicely in this respect.

  9. Re:Go IPV6 and leave DHCP in the dust by Spookticus · · Score: 2, Funny

    whys that, IPV6 thinks its too good for DHCP?

  10. Re:VMs on win2k3 machines by mysidia · · Score: 2, Interesting

    Hey, wait, VMware server's still an option for production servers. Several years ago, it was a commercial product called VMware GSX server.

    "Small wireless ISP" doesn't exactly strike me as the type of user, who would be deploying an Oracle RAC cluster with a load of 10k transactions per second, and an Exchange 2007 server with 5000 mailboxes, processing 10 messages per second.

    GSX was the version for production servers in a small environment. ESX was the high-end uber-expensive version for running massive numbers of servers on a dedicated host in a large environment.

    Server hardware in common use has gotten a lot better, much more powerful, since then. And VMware Server is no worse than GSX.

    If your workload is suitable for that type of virtualization, GSX should be okay.

    Yeah, ESX is a lot better, can handle many more VMs, and can virtualize many high-end workloads effectively that weren't even VM-suitable under GSX/VMware server.

    ESXi is less mature, and probably not as suitable as ESX.

  11. Re:Go IPV6 and leave DHCP in the dust by miscellaneous · · Score: 2, Insightful

    Yeah, because as a wireless ISP you can totally require your clients to support IPv6. Wait, no, that's not right.

    --
    -k. ^-^ ^D
  12. Carnegie Mellon's NetReg by vitroth · · Score: 3, Informative

    Carnegie Mellon's NetReg is an open source system that provides a pretty complete IP Address Management toolset, including management of DNS & DHCP configurations for ISC bind/dhcpd. It can manage ISC dhcpd's failover configuration, and multiple server groups, etc.

    Rather then just repeating what I've said before when the subject of IP Address Management came up on slashdot, I'll just link to it.

    Note: While the project has been pretty quiet for quite some time now, thats mostly because its the system is very stable and there hasn't been a lot of major new development in the last couple of years. I used to be one of the core developers of the system before I moved on to another job, but its still in active use by many sites.

  13. Re:Some VLAN's globally??? by fluffy99 · · Score: 2, Funny

    I get the strong impression you might be in way over your head with less than 3 years experience. You're asking about implement technologies which you don't fully understand yet. The risk here is that you might get a solution that works, but it will be horribly insecure.

    VLANS are layer 2. Subnetting is at the layer three level and normally coincidence with the layer 2 vlans you create (but not always). While you can have vlans spread across large regions, you defeat most of the benefits of using a vlan such as limiting broadcast domains and introduce some latency and timing issues. Cisco will tell you to keep the number of hops as small as possible. Adding 250 ms rtt between peers is an issue. Cisco has also had issues where vlans were not hard boundaries and you could get traffic to jump vlan boundaries by faking the 802.11q tags.

    I think I understand what your trying to accomplish - a public IP that can move around a larger region and between wireless towers at will. I think a far better solution is along the lines of a secure VPN. That avoids a whole slew of security and performance issues associated with vlans and wireless. What's stopping a malicious person from coming up with a wireless subscriber module (what exactly is that, btw?) that adds whatever vlan tag they want and getting access to any subnet at will?

    I also recommend using dhcp-helper and a handful of linux dhcp servers. That puts all the configuration in a central linux box and you don't have to muck with all the switches and routers for every little change.