Hi, I am trying to configure the dhcp option 82, went through the google forums and one of it suggest the syntax like # vim /etc/dhcp/dhcpd.conf ######################################################## log-facility local7; class "VLAN10" { match if binary-to-ascii(10,16,"",substring(option agent.circuit-id,2,2)) = "10"; } # VLAN10 class "VLAN20" { match if ( substring(option agent.remote-id,2,15)="10.5.20.4" and binary-to-ascii(10, 16, "",substring(option agent.circuit-id, 4, 2)) = "2" ); } subnet 192.168.10.0 netmask 255.255.255.0 { pool { allow members of "VLAN10"; default-lease-time 600; max-lease-time 7200; range 192.168.10.1 192.168.10.199; option routers 192.168.10.254; option broadcast-address 192.168.10.255; option subnet-mask 255.255.255.0; option domain-name-servers 4.2.2.2; } } subnet 192.168.20.0 netmask 255.255.255.0 { pool { allow members of "VLAN20"; default-lease-time 600; max-lease-time 7200; range 192.168.20.20 192.168.20.199; option routers 192.168.20.254; option broadcast-address 192.168.20.255; option subnet-mask 255.255.255.0; option domain-name-servers 4.2.2.2;
} (Just ignore ip values) can we configure this concept only by using classes and make it allow or deny like that? or can we use the option space concept to get it worked(do we have any other syntax). Thanks in advance
Hi is the option 82 supported by using class concept only ?
or can it be defined as other general options like domain-name server, router in scope section ?
On Tue, Sep 24, 2019 at 12:49 PM Surya Teja <[hidden email]> wrote:
Hi, I am trying to configure the dhcp option 82, went through the google forums and one of it suggest the syntax like # vim /etc/dhcp/dhcpd.conf ######################################################## log-facility local7; class "VLAN10" { match if binary-to-ascii(10,16,"",substring(option agent.circuit-id,2,2)) = "10"; } # VLAN10 class "VLAN20" { match if ( substring(option agent.remote-id,2,15)="10.5.20.4" and binary-to-ascii(10, 16, "",substring(option agent.circuit-id, 4, 2)) = "2" ); } subnet 192.168.10.0 netmask 255.255.255.0 { pool { allow members of "VLAN10"; default-lease-time 600; max-lease-time 7200; range 192.168.10.1 192.168.10.199; option routers 192.168.10.254; option broadcast-address 192.168.10.255; option subnet-mask 255.255.255.0; option domain-name-servers 4.2.2.2; } } subnet 192.168.20.0 netmask 255.255.255.0 { pool { allow members of "VLAN20"; default-lease-time 600; max-lease-time 7200; range 192.168.20.20 192.168.20.199; option routers 192.168.20.254; option broadcast-address 192.168.20.255; option subnet-mask 255.255.255.0; option domain-name-servers 4.2.2.2;
} (Just ignore ip values) can we configure this concept only by using classes and make it allow or deny like that? or can we use the option space concept to get it worked(do we have any other syntax). Thanks in advance
can we achieve the option 82 configuration setup with above snippet
Thanks in advance and or if any reference links to setup the option 82 functionality without class can also be appreciated
On Thu, Sep 26, 2019 at 7:42 PM Surya Teja <[hidden email]> wrote:
Hi is the option 82 supported by using class concept only ?
or can it be defined as other general options like domain-name server, router in scope section ?
On Tue, Sep 24, 2019 at 12:49 PM Surya Teja <[hidden email]> wrote:
Hi, I am trying to configure the dhcp option 82, went through the google forums and one of it suggest the syntax like # vim /etc/dhcp/dhcpd.conf ######################################################## log-facility local7; class "VLAN10" { match if binary-to-ascii(10,16,"",substring(option agent.circuit-id,2,2)) = "10"; } # VLAN10 class "VLAN20" { match if ( substring(option agent.remote-id,2,15)="10.5.20.4" and binary-to-ascii(10, 16, "",substring(option agent.circuit-id, 4, 2)) = "2" ); } subnet 192.168.10.0 netmask 255.255.255.0 { pool { allow members of "VLAN10"; default-lease-time 600; max-lease-time 7200; range 192.168.10.1 192.168.10.199; option routers 192.168.10.254; option broadcast-address 192.168.10.255; option subnet-mask 255.255.255.0; option domain-name-servers 4.2.2.2; } } subnet 192.168.20.0 netmask 255.255.255.0 { pool { allow members of "VLAN20"; default-lease-time 600; max-lease-time 7200; range 192.168.20.20 192.168.20.199; option routers 192.168.20.254; option broadcast-address 192.168.20.255; option subnet-mask 255.255.255.0; option domain-name-servers 4.2.2.2;
} (Just ignore ip values) can we configure this concept only by using classes and make it allow or deny like that? or can we use the option space concept to get it worked(do we have any other syntax). Thanks in advance
Options in a pool are options to be sent not matched.
Why are you avoiding the class statement? What does the
agent.circuit-id and agent.remote-id contain?
I can't figure out why you're using substring on these values (in
your original post).
Bill
On 9/27/2019 3:44 AM, Surya Teja wrote:
Hi
It might be too many questions but I wan to configure my
dhcpd configuration file by avoiding the classes as much as
possible
can we achieve the option 82 configuration setup with above
snippet
Thanks in advance and or if any reference links to setup
the option 82 functionality without class can also be
appreciated
On Thu, Sep 26, 2019 at 7:42
PM Surya Teja <[hidden email]> wrote:
Hi is the option 82 supported by using class
concept only ?
or can it be defined as other general options like
domain-name server, router in scope section ?
On Tue, Sep 24, 2019 at
12:49 PM Surya Teja <[hidden email]>
wrote:
Hi,
I am trying to configure the dhcp option 82, went
through the google forums and one of it suggest the
syntax like
# vim /etc/dhcp/dhcpd.conf
########################################################
log-facility local7; class "VLAN10" {
match if
binary-to-ascii(10,16,"",substring(option
agent.circuit-id,2,2)) = "10";
} # VLAN10
class "VLAN20" {
match if ( substring(option
agent.remote-id,2,15)="10.5.20.4"
and binary-to-ascii(10, 16, "",substring(option
agent.circuit-id, 4, 2)) = "2" );
}
subnet 192.168.10.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN10";
default-lease-time 600;
max-lease-time 7200;
range
192.168.10.1 192.168.10.199;
option routers
192.168.10.254;
option broadcast-address
192.168.10.255;
option subnet-mask
255.255.255.0;
option domain-name-servers 4.2.2.2;
}
}
subnet 192.168.20.0 netmask 255.255.255.0 {
pool { allow members of "VLAN20";
default-lease-time 600;
max-lease-time 7200;
range 192.168.20.20
192.168.20.199;
option routers 192.168.20.254;
option broadcast-address 192.168.20.255;
option subnet-mask 255.255.255.0;
option domain-name-servers 4.2.2.2;
}
(Just ignore ip values)
can we configure this concept only by using classes and
make it allow or deny like that?
or can we use the option space concept to get it
worked(do we have any other syntax). Thanks in advance
In one of the google forum I have read the statement saying like
The internal implementation in ISC DHCPD of classes is such that it scales in a non-linar way - O(N^2) or something. So suddenly you'll end up with dhcpd eating 100% CPU.
So I just want to avoid the classes
While surfing I found that for the host declaration statements we can use the syntax like
So I just want to know any config statements similar like above applies for scope sections
What does the agent.circuit-id and agent.remote-id contain? I can't figure out why you're using substring on these values (in your original post).
It is just sample example I found in the forum, I don't have issue with directly checking without using the substring function or binary-to-ascii to cross check the values
Thanks
On Fri, Sep 27, 2019 at 4:06 PM Bill Shirley <[hidden email]> wrote:
Options in a pool are options to be sent not matched.
Why are you avoiding the class statement? What does the
agent.circuit-id and agent.remote-id contain?
I can't figure out why you're using substring on these values (in
your original post).
Bill
On 9/27/2019 3:44 AM, Surya Teja wrote:
Hi
It might be too many questions but I wan to configure my
dhcpd configuration file by avoiding the classes as much as
possible
can we achieve the option 82 configuration setup with above
snippet
Thanks in advance and or if any reference links to setup
the option 82 functionality without class can also be
appreciated
On Thu, Sep 26, 2019 at 7:42
PM Surya Teja <[hidden email]> wrote:
Hi is the option 82 supported by using class
concept only ?
or can it be defined as other general options like
domain-name server, router in scope section ?
On Tue, Sep 24, 2019 at
12:49 PM Surya Teja <[hidden email]>
wrote:
Hi,
I am trying to configure the dhcp option 82, went
through the google forums and one of it suggest the
syntax like
# vim /etc/dhcp/dhcpd.conf
########################################################
log-facility local7; class "VLAN10" {
match if
binary-to-ascii(10,16,"",substring(option
agent.circuit-id,2,2)) = "10";
} # VLAN10
class "VLAN20" {
match if ( substring(option
agent.remote-id,2,15)="10.5.20.4"
and binary-to-ascii(10, 16, "",substring(option
agent.circuit-id, 4, 2)) = "2" );
}
subnet 192.168.10.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN10";
default-lease-time 600;
max-lease-time 7200;
range
192.168.10.1 192.168.10.199;
option routers
192.168.10.254;
option broadcast-address
192.168.10.255;
option subnet-mask
255.255.255.0;
option domain-name-servers 4.2.2.2;
}
}
subnet 192.168.20.0 netmask 255.255.255.0 {
pool { allow members of "VLAN20";
default-lease-time 600;
max-lease-time 7200;
range 192.168.20.20
192.168.20.199;
option routers 192.168.20.254;
option broadcast-address 192.168.20.255;
option subnet-mask 255.255.255.0;
option domain-name-servers 4.2.2.2;
}
(Just ignore ip values)
can we configure this concept only by using classes and
make it allow or deny like that?
or can we use the option space concept to get it
worked(do we have any other syntax). Thanks in advance
Yeah, I had found that web page too. But note later on that page
he states about his patch: This has been tested on a Xeon 2.8 Ghz
server, it uses just a few
percent of CPU with 40.000 DHCP clients.
Do you have 40,000 clients?
I use many classes in my DHCP configurations on 15+ servers. I
haven't had a problem
with DHCP eating up all the resources.
What is you goal here? Are you wanting to assign a fixed address
for each client?
Bill
On 9/27/2019 7:32 AM, Surya Teja wrote:
Hi Bill Thanks for reply
Why are you avoiding the class statement?
In one of the google forum I have read the statement saying
like
The internal implementation in
ISC DHCPD of classes is such that it scales in a non-linar
way - O(N^2) or something. So suddenly you'll end up with
dhcpd eating 100% CPU.
So I just want to avoid the classes
While surfing I found that for the host declaration
statements we can use the syntax like
So I just want to know any config statements similar like
above applies for scope sections
What does the agent.circuit-id and agent.remote-id contain?
I can't figure out why you're using substring on these values
(in your original post).
It is just sample example I found in the forum, I don't
have issue with directly checking without using the substring
function or binary-to-ascii to
cross check the values
Thanks
On Fri, Sep 27, 2019 at 4:06
PM Bill Shirley <[hidden email]>
wrote:
Options in a pool are options to be sent not
matched.
Why are you avoiding the class statement? What does the
agent.circuit-id and agent.remote-id contain?
I can't figure out why you're using substring on these
values (in your original post).
Bill
On 9/27/2019 3:44 AM, Surya Teja wrote:
Hi
It might be too many questions but I wan to
configure my dhcpd configuration file by avoiding the
classes as much as possible
can we achieve the option 82 configuration setup
with above snippet
Thanks in advance and or if any reference links to
setup the option 82 functionality without class can
also be appreciated
On Thu, Sep 26, 2019
at 7:42 PM Surya Teja <[hidden email]>
wrote:
Hi is the option 82 supported by using
class concept only ?
or can it be defined as other general options
like domain-name server, router in scope section ?
On Tue, Sep 24,
2019 at 12:49 PM Surya Teja <[hidden email]>
wrote:
Hi,
I am trying to configure the dhcp option 82,
went through the google forums and one of it
suggest the syntax like
# vim /etc/dhcp/dhcpd.conf
########################################################
log-facility local7; class "VLAN10" {
match if
binary-to-ascii(10,16,"",substring(option
agent.circuit-id,2,2)) = "10";
} # VLAN10
class "VLAN20" {
match if ( substring(option
agent.remote-id,2,15)="10.5.20.4"
and binary-to-ascii(10, 16,
"",substring(option agent.circuit-id, 4, 2)) =
"2" );
}
subnet 192.168.10.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN10";
default-lease-time
600;
max-lease-time
7200;
range
192.168.10.1 192.168.10.199;
option routers
192.168.10.254;
option broadcast-address
192.168.10.255;
option subnet-mask
255.255.255.0;
option domain-name-servers
4.2.2.2;
}
}
subnet 192.168.20.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN20";
default-lease-time 600;
max-lease-time 7200;
range
192.168.20.20 192.168.20.199;
option routers
192.168.20.254;
option broadcast-address
192.168.20.255;
option subnet-mask
255.255.255.0;
option domain-name-servers 4.2.2.2;
}
(Just ignore ip values)
can we configure this concept only by using
classes and make it allow or deny like that?
or can we use the option space concept to get it
worked(do we have any other syntax). Thanks in
advance
Looking at the web page, I see that he defines his classes inside
the subnet, this is bad advice, it will not do what you may want.
Classes are global wherever they are defined just as host
statements. They both inherit some things from the place of
definition and use it elsewhere to great frustration for the guy
trying to debug this.
Place class and host definitions in the global scope, that causes
least problems.
On 27/09/2019 15.25, Bill Shirley
wrote:
Yeah, I had found that web page too. But note later on that
page he states about his patch: This has been tested on a Xeon 2.8 Ghz
server, it uses just a few percent of CPU with 40.000 DHCP
clients. Do you have 40,000 clients?
I use many classes in my DHCP configurations on 15+ servers. I
haven't had a problem
with DHCP eating up all the resources.
What is you goal here? Are you wanting to assign a fixed
address for each client?
Bill
On 9/27/2019 7:32 AM, Surya Teja
wrote:
Hi Bill Thanks for reply
Why are you avoiding the class statement?
In one of the google forum I have read the statement
saying like
The internal implementation
in ISC DHCPD of classes is such that it scales in a
non-linar way - O(N^2) or something. So suddenly you'll
end up with dhcpd eating 100% CPU.
So I just want to avoid the classes
While surfing I found that for the host declaration
statements we can use the syntax like
So I just want to know any config statements similar
like above applies for scope sections
What does the agent.circuit-id and agent.remote-id
contain? I can't figure out why you're using substring on
these values (in your original post).
It is just sample example I found in the forum, I don't
have issue with directly checking without using the
substring function or binary-to-ascii to
cross check the values
Thanks
On Fri, Sep 27, 2019 at 4:06
PM Bill Shirley <[hidden email]>
wrote:
Options in a pool are options to be sent not
matched.
Why are you avoiding the class statement? What does the
agent.circuit-id and agent.remote-id contain?
I can't figure out why you're using substring on these
values (in your original post).
Bill
On 9/27/2019 3:44 AM, Surya Teja wrote:
Hi
It might be too many questions but I wan to
configure my dhcpd configuration file by avoiding
the classes as much as possible
can we achieve the option 82 configuration setup
with above snippet
Thanks in advance and or if any reference links
to setup the option 82 functionality without class
can also be appreciated
On Thu, Sep 26, 2019
at 7:42 PM Surya Teja <[hidden email]>
wrote:
Hi is the option 82 supported by
using class concept only ?
or can it be defined as other general options
like domain-name server, router in scope section
?
On Tue, Sep 24,
2019 at 12:49 PM Surya Teja <[hidden email]>
wrote:
Hi,
I am trying to configure the dhcp option 82,
went through the google forums and one of it
suggest the syntax like
# vim /etc/dhcp/dhcpd.conf
########################################################
log-facility local7; class "VLAN10" {
match if
binary-to-ascii(10,16,"",substring(option
agent.circuit-id,2,2)) = "10";
} # VLAN10
class "VLAN20" {
match if ( substring(option
agent.remote-id,2,15)="10.5.20.4"
and binary-to-ascii(10, 16,
"",substring(option agent.circuit-id, 4, 2))
= "2" );
}
subnet 192.168.10.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN10";
default-lease-time
600;
max-lease-time
7200;
range
192.168.10.1 192.168.10.199;
option routers
192.168.10.254;
option broadcast-address
192.168.10.255;
option subnet-mask
255.255.255.0;
option domain-name-servers
4.2.2.2;
}
}
subnet 192.168.20.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN20";
default-lease-time 600;
max-lease-time 7200;
range
192.168.20.20 192.168.20.199;
option routers
192.168.20.254;
option broadcast-address
192.168.20.255;
option subnet-mask
255.255.255.0;
option domain-name-servers
4.2.2.2;
}
(Just ignore ip values)
can we configure this concept only by using
classes and make it allow or deny like that?
or can we use the option space concept to get
it worked(do we have any other syntax). Thanks
in advance
Yes some times the
dhcp
client
traffic
reaches nearly 40-50k in my environment.
What is you goal here?
I want to avoid the untrusted dhcp clients to request the server and fill up the leases, So I went through internet and found that option 82 can be a similar functionality.
The set up is similar to my environment using relay agents to forward the packets I want to replicate the setup in my environment. The adobe techniques is like authenticating the requests and then granting IP
On Fri, Sep 27, 2019 at 6:55 PM Bill Shirley <[hidden email]> wrote:
Yeah, I had found that web page too. But note later on that page
he states about his patch: This has been tested on a Xeon 2.8 Ghz
server, it uses just a few
percent of CPU with 40.000 DHCP clients.
Do you have 40,000 clients?
I use many classes in my DHCP configurations on 15+ servers. I
haven't had a problem
with DHCP eating up all the resources.
What is you goal here? Are you wanting to assign a fixed address
for each client?
Bill
On 9/27/2019 7:32 AM, Surya Teja wrote:
Hi Bill Thanks for reply
Why are you avoiding the class statement?
In one of the google forum I have read the statement saying
like
The internal implementation in
ISC DHCPD of classes is such that it scales in a non-linar
way - O(N^2) or something. So suddenly you'll end up with
dhcpd eating 100% CPU.
So I just want to avoid the classes
While surfing I found that for the host declaration
statements we can use the syntax like
So I just want to know any config statements similar like
above applies for scope sections
What does the agent.circuit-id and agent.remote-id contain?
I can't figure out why you're using substring on these values
(in your original post).
It is just sample example I found in the forum, I don't
have issue with directly checking without using the substring
function or binary-to-ascii to
cross check the values
Thanks
On Fri, Sep 27, 2019 at 4:06
PM Bill Shirley <[hidden email]>
wrote:
Options in a pool are options to be sent not
matched.
Why are you avoiding the class statement? What does the
agent.circuit-id and agent.remote-id contain?
I can't figure out why you're using substring on these
values (in your original post).
Bill
On 9/27/2019 3:44 AM, Surya Teja wrote:
Hi
It might be too many questions but I wan to
configure my dhcpd configuration file by avoiding the
classes as much as possible
can we achieve the option 82 configuration setup
with above snippet
Thanks in advance and or if any reference links to
setup the option 82 functionality without class can
also be appreciated
On Thu, Sep 26, 2019
at 7:42 PM Surya Teja <[hidden email]>
wrote:
Hi is the option 82 supported by using
class concept only ?
or can it be defined as other general options
like domain-name server, router in scope section ?
On Tue, Sep 24,
2019 at 12:49 PM Surya Teja <[hidden email]>
wrote:
Hi,
I am trying to configure the dhcp option 82,
went through the google forums and one of it
suggest the syntax like
# vim /etc/dhcp/dhcpd.conf
########################################################
log-facility local7; class "VLAN10" {
match if
binary-to-ascii(10,16,"",substring(option
agent.circuit-id,2,2)) = "10";
} # VLAN10
class "VLAN20" {
match if ( substring(option
agent.remote-id,2,15)="10.5.20.4"
and binary-to-ascii(10, 16,
"",substring(option agent.circuit-id, 4, 2)) =
"2" );
}
subnet 192.168.10.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN10";
default-lease-time
600;
max-lease-time
7200;
range
192.168.10.1 192.168.10.199;
option routers
192.168.10.254;
option broadcast-address
192.168.10.255;
option subnet-mask
255.255.255.0;
option domain-name-servers
4.2.2.2;
}
}
subnet 192.168.20.0 netmask 255.255.255.0 {
pool { allow members of
"VLAN20";
default-lease-time 600;
max-lease-time 7200;
range
192.168.20.20 192.168.20.199;
option routers
192.168.20.254;
option broadcast-address
192.168.20.255;
option subnet-mask
255.255.255.0;
option domain-name-servers 4.2.2.2;
}
(Just ignore ip values)
can we configure this concept only by using
classes and make it allow or deny like that?
or can we use the option space concept to get it
worked(do we have any other syntax). Thanks in
advance
Yes some times the dhcp client traffic reaches nearly
40-50k in my environment.
What is you goal here?
I want to avoid the untrusted dhcp clients to request the
server and fill up the leases, So I went through internet and
found that option 82 can be a similar functionality.
This example has a few problems:
It defines classes inside the subnet, this is not a good idea. Keep
declarations global.
It does not prevent unknown-clients from getting an IP from any of
the pools, it is missing the deny unknown-clients; statement.
allow members of "VLAN10"; denies other
classes but does not deny unknown-clients as you seem to want.
The set up is similar to my environment using relay agents
to forward the packets I want to replicate the setup in my
environment. The adobe techniques is like authenticating the
requests and then granting IP
On Fri, Sep 27, 2019 at 6:55
PM Bill Shirley <[hidden email]>
wrote:
Yeah, I had found that web page too. But note later on
that page he states about his patch: This has been tested on a Xeon
2.8 Ghz server, it uses just a few percent of CPU with
40.000 DHCP clients. Do you have 40,000 clients?
I use many classes in my DHCP configurations on 15+
servers. I haven't had a problem
with DHCP eating up all the resources.
What is you goal here? Are you wanting to assign a fixed
address for each client?
Bill
On 9/27/2019 7:32 AM, Surya Teja wrote:
Hi Bill Thanks for reply
Why are you avoiding the class statement?
In one of the google forum I have read the
statement saying like
The internal implementation in ISC DHCPD of
classes is such that it scales in a non-linar way -
O(N^2) or something. So suddenly you'll end up with
dhcpd eating 100% CPU.
So I just want to avoid the classes
While surfing I found that for the host declaration
statements we can use the syntax like
So I just want to know any
config statements similar like above applies for scope
sections
What does the agent.circuit-id and agent.remote-id
contain? I can't figure out why you're using substring
on these values (in your original post).
It is just sample example I found in the forum, I
don't have issue with directly checking without using
the substring function or binary-to-ascii to
cross check the values
Thanks
On Fri, Sep 27, 2019
at 4:06 PM Bill Shirley <[hidden email]>
wrote:
Options in a pool are options to be sent
not matched.
Why are you avoiding the class statement? What
does the agent.circuit-id and agent.remote-id
contain?
I can't figure out why you're using substring on
these values (in your original post).
Bill
On 9/27/2019 3:44 AM, Surya Teja wrote:
Hi
It might be too many questions but I wan to
configure my dhcpd configuration file by
avoiding the classes as much as possible
can we achieve the option 82 configuration
setup with above snippet
Thanks in advance and or if any reference
links to setup the option 82 functionality
without class can also be appreciated
On Thu, Sep
26, 2019 at 7:42 PM Surya Teja <[hidden email]>
wrote:
Hi is the option 82 supported
by using class concept only ?
or can it be defined as other general
options like domain-name server, router in
scope section ?
On Tue,
Sep 24, 2019 at 12:49 PM Surya Teja <[hidden email]>
wrote:
Hi,
I am trying to configure the dhcp option
82, went through the google forums and
one of it suggest the syntax like
# vim /etc/dhcp/dhcpd.conf
########################################################
log-facility local7; class "VLAN10" {
match if
binary-to-ascii(10,16,"",substring(option
agent.circuit-id,2,2)) = "10";
} # VLAN10
class "VLAN20" {
match if ( substring(option
agent.remote-id,2,15)="10.5.20.4"
and binary-to-ascii(10, 16,
"",substring(option agent.circuit-id,
4, 2)) = "2" );
}
subnet 192.168.10.0 netmask
255.255.255.0 {
pool { allow members of
"VLAN10";
default-lease-time
600;
max-lease-time
7200;
range
192.168.10.1 192.168.10.199;
option routers
192.168.10.254;
option broadcast-address
192.168.10.255;
option subnet-mask
255.255.255.0;
option
domain-name-servers 4.2.2.2;
}
}
subnet 192.168.20.0 netmask
255.255.255.0 {
pool { allow members of
"VLAN20";
default-lease-time
600;
max-lease-time
7200;
range
192.168.20.20 192.168.20.199;
option routers
192.168.20.254;
option broadcast-address
192.168.20.255;
option subnet-mask
255.255.255.0;
option domain-name-servers
4.2.2.2;
}
(Just ignore ip values)
can we configure this concept only by
using classes and make it allow or deny
like that?
or can we use the option space concept
to get it worked(do we have any other
syntax). Thanks in advance
Thanks for advice, I just want to make sure that my DHCP server will grant IP from particular subnet to the clients which has
specified value in agent.circuit-id/ agent.remote-id suboptions of option 82
from request packets (DHCP relay will be adding the option 82 info to request packet)
it is missing the deny unknown-clients; statement. ------------->
It will deny all the clients that does not have host declaration ? sorry I am not confirm about this
Thanks
Surya
On Fri, Sep 27, 2019 at 7:51 PM Sten Carlsen <[hidden email]> wrote:
On 27/09/2019 15.59, Surya Teja wrote:
Hi Bill,
Do you have 40,000 clients?
Yes some times the dhcp client traffic reaches nearly
40-50k in my environment.
What is you goal here?
I want to avoid the untrusted dhcp clients to request the
server and fill up the leases, So I went through internet and
found that option 82 can be a similar functionality.
This example has a few problems:
It defines classes inside the subnet, this is not a good idea. Keep
declarations global.
It does not prevent unknown-clients from getting an IP from any of
the pools, it is missing the deny unknown-clients; statement.
allow members of "VLAN10"; denies other
classes but does not deny unknown-clients as you seem to want.
The set up is similar to my environment using relay agents
to forward the packets I want to replicate the setup in my
environment. The adobe techniques is like authenticating the
requests and then granting IP
On Fri, Sep 27, 2019 at 6:55
PM Bill Shirley <[hidden email]>
wrote:
Yeah, I had found that web page too. But note later on
that page he states about his patch: This has been tested on a Xeon
2.8 Ghz server, it uses just a few percent of CPU with
40.000 DHCP clients. Do you have 40,000 clients?
I use many classes in my DHCP configurations on 15+
servers. I haven't had a problem
with DHCP eating up all the resources.
What is you goal here? Are you wanting to assign a fixed
address for each client?
Bill
On 9/27/2019 7:32 AM, Surya Teja wrote:
Hi Bill Thanks for reply
Why are you avoiding the class statement?
In one of the google forum I have read the
statement saying like
The internal implementation in ISC DHCPD of
classes is such that it scales in a non-linar way -
O(N^2) or something. So suddenly you'll end up with
dhcpd eating 100% CPU.
So I just want to avoid the classes
While surfing I found that for the host declaration
statements we can use the syntax like
So I just want to know any
config statements similar like above applies for scope
sections
What does the agent.circuit-id and agent.remote-id
contain? I can't figure out why you're using substring
on these values (in your original post).
It is just sample example I found in the forum, I
don't have issue with directly checking without using
the substring function or binary-to-ascii to
cross check the values
Thanks
On Fri, Sep 27, 2019
at 4:06 PM Bill Shirley <[hidden email]>
wrote:
Options in a pool are options to be sent
not matched.
Why are you avoiding the class statement? What
does the agent.circuit-id and agent.remote-id
contain?
I can't figure out why you're using substring on
these values (in your original post).
Bill
On 9/27/2019 3:44 AM, Surya Teja wrote:
Hi
It might be too many questions but I wan to
configure my dhcpd configuration file by
avoiding the classes as much as possible
can we achieve the option 82 configuration
setup with above snippet
Thanks in advance and or if any reference
links to setup the option 82 functionality
without class can also be appreciated
On Thu, Sep
26, 2019 at 7:42 PM Surya Teja <[hidden email]>
wrote:
Hi is the option 82 supported
by using class concept only ?
or can it be defined as other general
options like domain-name server, router in
scope section ?
On Tue,
Sep 24, 2019 at 12:49 PM Surya Teja <[hidden email]>
wrote:
Hi,
I am trying to configure the dhcp option
82, went through the google forums and
one of it suggest the syntax like
# vim /etc/dhcp/dhcpd.conf
########################################################
log-facility local7; class "VLAN10" {
match if
binary-to-ascii(10,16,"",substring(option
agent.circuit-id,2,2)) = "10";
} # VLAN10
class "VLAN20" {
match if ( substring(option
agent.remote-id,2,15)="10.5.20.4"
and binary-to-ascii(10, 16,
"",substring(option agent.circuit-id,
4, 2)) = "2" );
}
subnet 192.168.10.0 netmask
255.255.255.0 {
pool { allow members of
"VLAN10";
default-lease-time
600;
max-lease-time
7200;
range
192.168.10.1 192.168.10.199;
option routers
192.168.10.254;
option broadcast-address
192.168.10.255;
option subnet-mask
255.255.255.0;
option
domain-name-servers 4.2.2.2;
}
}
subnet 192.168.20.0 netmask
255.255.255.0 {
pool { allow members of
"VLAN20";
default-lease-time
600;
max-lease-time
7200;
range
192.168.20.20 192.168.20.199;
option routers
192.168.20.254;
option broadcast-address
192.168.20.255;
option subnet-mask
255.255.255.0;
option domain-name-servers
4.2.2.2;
}
(Just ignore ip values)
can we configure this concept only by
using classes and make it allow or deny
like that?
or can we use the option space concept
to get it worked(do we have any other
syntax). Thanks in advance
On Fri, Sep 27, 2019 at 10:21 AM Sten Carlsen <[hidden email]> wrote:
On 27/09/2019 15.59, Surya Teja wrote:
Hi Bill,
Do you have 40,000 clients?
Yes some times the dhcp client traffic reaches nearly
40-50k in my environment.
What is you goal here?
I want to avoid the untrusted dhcp clients to request the
server and fill up the leases, So I went through internet and
found that option 82 can be a similar functionality.
This example has a few problems:
It defines classes inside the subnet, this is not a good idea. Keep
declarations global.
It does not prevent unknown-clients from getting an IP from any of
the pools, it is missing the deny unknown-clients; statement.
allow members of "VLAN10"; denies other
classes but does not deny unknown-clients as you seem to want.
It has been my experience that "allow members of VLAN10" implies "deny all else".
And using "known-clients" or "unknown-clients" in the DHCP config is a bad idea - if a MAC address is given a DHCP Reserved entry in one subnet, that suddenly changes its 'known" status on other subnets causing it to get or lose access to those subnets. Rarely is there a real need for "known-clients" or "unknown-clients".
> I just want to make sure that my DHCP server will grant IP from particular subnet to the clients which has specified value in agent.circuit-id/agent.remote-id suboptions of option 82 from request packets (DHCP relay will be adding the option 82 info to request packet)
You do not need to do anything for that to happen - it's just automagic.
The server will automatically match a client to the right subnet according to either the interface the request comes in on (for local clients) or the Gateway Interface Address (GI-Addr) set by the relay agent (for remote clients).
So lets say you have two subnets: The server is on the 192.168.1.0/24 subnet, and the relay agent is listening on the 192.168.2.0/24 subnet (lets say it's IP is 192.168.2.2). The server receiving a relayed request will find GI-Addr set to 192.168.2.2 and automatically select a client address from the 192.168.2.0/24 subnet declaration. For the server, all it needs is :
<global stuff>
subnet 192.168.1.0 ... {
}
subnet 192.168.2.0 ... {
<subnet specific options>
range 192.168.2.xx 192.168.2.xx ;
}
That's really all there is to it. If there are no clients connected locally to the server, then the local subnet (192.168.1.0/24 in this example) can be empty as above.
> In one of the google forum I have read the statement saying like
>
> The internal implementation in ISC DHCPD of classes is such that it
> scales in a non-linar way - O(N^2) or something. So suddenly you'll
> end up with dhcpd eating 100% CPU.
>
> So I just want to avoid the classes
I think you may find that the documentation for dhcpd.conf,
if you read it carefully, will give you more useful insight
than "one of the google forum".
In particular, this:
SUBCLASSES
In addition to classes, it is possible to declare subclasses. A
subclass is a class with the same name as a regular class, but
with a
specific submatch expression which is hashed for quick matching.
This
is essentially a speed hack - the main difference between five
classes
with match expressions and one class with five subclasses is
that it
will be quicker to find the subclasses.
Locked
