Linux Distributed Switch Architecture with Local Option82 ISC DHCP server/DHCP relay

I share the following problematic for an embedded system we need to update
for a customer.

Customer requirement is: all my IP cameras connected to your product SHALL
get, by DHCP, their IP address according to their physical port, not their
hostname.
All the IP addresses SHALL be in the same network.

About our product:
 - OS: Linux Yocto Zeus
 - CPU: imx6 based module
 - Switch: 88E6240 Marvell

Software versions:

 - ISC DHCP version: 4.4.1
 - Linux version: 4.14

Idea: using DHCP option 82 + Distributed Switch Architecture (DSA) in order
to isolate ports

What I did:

DSA enabled => 1 physical port = 1 linux network interface
1 bridge created linking all this ports with a dsa_br0 interface

Option 82 realized by launching a dhcrelay (DHCP relay agent) for each
interface (-i portX and set as up command in /etc/network/interfaces) with
"-a" option in order to append option82 with port name as circuit ID.

DHCP server config:
one subnet, the expected one (the subnet of dsa_br0 bridge interface) +
hosts declared with "host-identifier option agent.circuit-id "portX";"
option

Side effect (impact ?): I need to declare IP address for each port (in
/etc/network/interfaces), otherwise dhcrelay will not work (note: all are in
separate network)


    subnet 192.168.0.0 netmask 255.255.255.0 {
        option routers 192.168.0.20;
        option broadcast-address 192.168.0.255;
        option domain-name-servers 192.168.0.20;
   
        host port1 {
            host-identifier option agent.circuit-id "port1";
            fixed-address 192.168.0.11;
        }

       host port2 {
            host-identifier option agent.circuit-id "port2";
            fixed-address 192.168.0.12;
        }
    }

And network configuration:

    ifconfig
    dsa_br0   Link encap:Ethernet  HWaddr 00:e0:4b:6d:e2:70  
              inet addr:192.168.0.20  Bcast:192.168.0.255
Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:4130 errors:0 dropped:19 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1298917 (1.2 MiB)  TX bytes:0 (0.0 B)
   
    eth0      Link encap:Ethernet  HWaddr 00:e0:4b:6d:e2:70  
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:4524 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2758 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1555293 (1.4 MiB)  TX bytes:473137 (462.0 KiB)
   
    port1     Link encap:Ethernet  HWaddr 00:e0:4b:6d:e2:70  
              inet addr:172.20.31.1  Bcast:172.20.31.255  Mask:255.255.255.0
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
   
    port2     Link encap:Ethernet  HWaddr 00:e0:4b:6d:e2:70  
              inet addr:172.20.32.1  Bcast:172.20.32.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:808 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1950 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:190934 (186.4 KiB)  TX bytes:248827 (242.9 KiB)


My dhcrelay command:

    dhcrelay -a -i port2 192.168.0.20


Result:
It seems that DHCP server doesn't receive any DHCP frame at all from
dhcrelay. It receives raw frame (without option82) => so I added ebtables
rules in order to block them

Analyze with a tcpdump capture:
DHCP frame are forwarded by DHCP relay with option82 added
BUT they are sent to local loopback (since target IP address is the one of
dsa_br0) !
In source code, it uses the "fallback" interface.

First DHCP server source code analysis revealed that DHCP server doesn't
listen any local loopback interface (in LFP listening mode), so it could
explain why it cannot work at all for the moment.


My questions are:

 - Any error in my analysis ?
 - How can we implement something like that (DSA + local dhcrelay/DHCP
server) ?
 - Another idea for solving customer requirement ?


Regards,




--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

remi rsd <[hidden email]> wrote:

> Customer requirement is: all my IP cameras connected to your product SHALL
> get, by DHCP, their IP address according to their physical port, not their
> hostname.
> All the IP addresses SHALL be in the same network.
>
> About our product:
> - OS: Linux Yocto Zeus
> - CPU: imx6 based module
> - Switch: 88E6240 Marvell

A lookup suggests the switch is fairly basic - so no DHCP snooping/option-82 insertion

I don't think that will work. As far as networking (at the IP layer) is concerned, you still have one network ...

> DHCP server config:
> one subnet, the expected one (the subnet of dsa_br0 bridge interface) +
> hosts declared with "host-identifier option agent.circuit-id "portX";"
> option
>
> Side effect (impact ?): I need to declare IP address for each port (in
> /etc/network/interfaces), otherwise dhcrelay will not work (note: all are in
> separate network)

That's right, the relay agent needs an IP address for the interface it's listening on - otherwise it doesn't know what to put in the relayed packets.

As a general point, host statements are global - don't declare them inside a subnet as that can cause some "interesting" inheritance problems.

As your port addresses are in a different subnet, you need a shared network statement so that the dhcp server can associate relayed packets with (e.g.) 172.20.32.1 in the CI-Addr field with clients in the 192.168.0.0/24 subnet. That would look like :

shared-network somenamehere {
  subnet 172.20.31.0 netmask 255.255.255.0 {}
  subnet 172.20.32.0 netmask 255.255.255.0 {}
  subnet 192.168.0.0 netmask 255.255.255.0 {
    stuff goes here
  }

> My dhcrelay command:
>
>    dhcrelay -a -i port2 192.168.0.20

From memory, the relay agent also needs to listen on the interface through which it talks to the server - this could get messy


> It seems that DHCP server doesn't receive any DHCP frame at all from
> dhcrelay. It receives raw frame (without option82) => so I added ebtables
> rules in order to block them

That sounds about right. Because you've bridged all the ports together, they're one network from the PoV of broadcast traffic.


> - Another idea for solving customer requirement ?

A few thoughts come to mind, none of which I've ever done or tested so some more thought and experimentation might be needed. Also, be aware that once a client has a lease, it will then use unicast packets to communicate directly with the server (NOT via a relay agent) - so you need to take this into account.


I'm assuming the hardware is fixed, so you don't have the option of using a "smarter" switch that can do the Option-82 insertion ? That would be the ideal approach if it were practical.


Don't bridge the ports together, but use proxy-ARP to make it look like they are all on the same subnet. From the DHCP PoV, the relay agents should work. However, I think you'll have to lump them all together in one shared network - and allocate addresses by filtering (use classes ?) on CI-Addr field in the incoming packets in order to get the dhcp server to work.


Write a monitor of some sort that will monitor the state of switch ports and the devices connected. I have in mind something that will :
- When a port becomes active, detect the MAC address of the connected device and configure the dhcp server with a MAC-IP mapping (host declaration ?).
- When a port becomes inactive, remove that mapping. If you only use host statements, there's no lease to remove.
You probably need to configure the hardware switch with one VLAN/port and use bridging in Linux to give access to the per-port MAC tables as I assume the bridge chip doesn't make this visible. Performance wise it would be best to use the hardware bridge as a single interface IFF you can access port status and attached devices list/port (MAC-Port mappings).
There's also an implicit assumption (taken from your original problem statement) that there will only ever be one client attached to a single port. And I'm assuming that there will be one interface which will be excluded from this setup that is used for connection to "the outside world".

Related to this, consider if it's possible to upgrade the hardware to something that can show you port status and MAC tables - then you can let the hardware switch do the switching.


Talk to the client and see if you can compromise on the requirements. If they'd allow multiple subnets then it would significantly simplify your problem.
In principle, it would allow you to just have one subnet per port as a separate network - without needing relay agents etc. But you might still need to do some work to allow device swapping - otherwise if devices are changed/moved, a new device on a port won't be able to get an address until the previous lease has expired.



I'm thinking that the monitor setup might be the easiest. In pseudo-code, it would just need to do something along the lines of :
If ${port_status} is down and ${port_config} is not empty
  then
    echo > ${port}_config
    restart dhcpd
If ${port_status} is up and ${port_config} is empty
  Look for a MAC address for a connected port
  if we got a MAC address
    then echo "host \"port_${port}\" \{ hardware ethernet ${port_mac} \}" > ${port}_config
    restart dhcpd

And in your dhcp config, have include statements to include the port configs (host statements).


Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

I wrote:

> Performance wise it would be best to use the hardware bridge as a single interface IFF you can access port status and attached devices list/port (MAC-Port mappings).

Thinking a bit more about this, the switch (bridge) ship can't be completely "dumb". There's obviously a way to configure VLANs on it, so it would be worth investing a bit of effort to find out if that same interface also supports reading port status and forwarding tables - it could remove the need to run a software bridge altogether.

Simon
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Well, as they say, every day is a learning day. I'd not come across Distributed Switch Architecture (DSA) before - now I've read up on it, interesting.
https://docplayer.net/50750816-Distributed-switch-architecture-a-k-a-dsa.html


As a refinement to the monitoring suggestion I made earlier, there's scope for switching ports between modes.

So when a port becomes inactive, switch it from packet switching within the bridge to forwarding packets direct to the processor. This will mean that when something is plugged in, the Linux network stack will be able to see the association between MAC address and port. Once that's been collected, the port can be switched back to using the in-chip switch and (potentially) offload from the processor.

I say potentially because the actual traffic flows haven't really been described by the OP. If the application basically takes streams from cameras, pipes them through the host processor and stores them on local storage - then it makes little difference.
But if there are streams between devices, using the in-chip switch would offload the handling of this from the host CPU.

As an alternative, there's scope for switching an inactive port to a different VLAN to make it appear on a different Linux network port. Then when the MAC address has been captured, change the port back to the normal VLAN.

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hello Simon. Thanks for your messages.
Some news from the field.


Option82 was effectively "sold" to the customer. Mandatory.
Switch cannot be replaced by another one.
For the moment, I would like to avoid any monitoring daemon.


I applied your recommendation about declaring shared-network (and hacked a
bit dhcrelay for debugging purpose):
effectively, now DHCPd receive relayed packets with circuit-id


I found also this http://www.miquels.cistron.nl/isc-dhcpd/
Added the patch patch in order to log circuit-id info.

Then I updated my config:


first try:

stash-agent-options true;

log-facility local7;

if exists agent.circuit-id
{
log (info, concat("Lease for ", option agent.circuit-id));
}

host port1 {
   host-identifier option agent.circuit-id "port1";
   fixed-address 192.168.1.31;
}

host port2 {
   host-identifier option agent.circuit-id "port2";
   fixed-address 192.168.1.32;
}

host port3 {
   host-identifier option agent.circuit-id "port3";
   fixed-address 192.168.1.33;
}

host port4 {
   host-identifier option agent.circuit-id "port4";
   fixed-address 192.168.1.34;
}

shared-network my_bridge {
   subnet 172.20.31.0 netmask 255.255.255.0 {}
   subnet 172.20.32.0 netmask 255.255.255.0 {}
   subnet 172.20.33.0 netmask 255.255.255.0 {}
   subnet 172.20.34.0 netmask 255.255.255.0 {}

   subnet 192.168.1.0 netmask 255.255.255.0 {
      option routers 192.168.1.20;
      option broadcast-address 192.168.1.255;
      option domain-name-servers 192.168.1.20;
      option domain-name "bus-1";
   }
}

Result:
"DHCPDISCOVER from 28:d2:44:50:a5:05 via dsa_br0: network my_bridge: no free
leases"

=> No lease

If I add a default pool, lease provided and a log for circuit-id is
displayed, confirming that DHCPd received packet from relay agent


I tried another way:

shared-network my_bridge {
   subnet 172.20.31.0 netmask 255.255.255.0 {}
   subnet 172.20.32.0 netmask 255.255.255.0 {}
   subnet 172.20.33.0 netmask 255.255.255.0 {}
   subnet 172.20.34.0 netmask 255.255.255.0 {}

   subnet 192.168.1.0 netmask 255.255.255.0 {
      option routers 192.168.1.20;
      option broadcast-address 192.168.1.255;
      option domain-name-servers 192.168.1.20;
      option domain-name "bus-1";


                        class "port1" {
                                match if option agent.circuit-id = "port1";
                        }
                        pool {
                                allow members of "port1";
                                range 192.168.1.31;
                        }

                        class "port2" {
                                match if option agent.circuit-id = "port2";
                        }
                        pool {
                                allow members of "port2";
                                range 192.168.1.32;
                        }

                        class "port3" {
                                match if option agent.circuit-id = "port3";
                        }
                        pool {
                                allow members of "port3";
                                range 192.168.1.33;
                        }

                        class "port4" {
                                match if option agent.circuit-id = "port4";
                        }
                        pool {
                                allow members of "port4";
                                range 192.168.1.34;
                        }
   }
}

Result:
"DHCPDISCOVER from 28:d2:44:50:a5:05 via dsa_br0: network my_bridge: no free
leases"

=> same result, no lease.


The difference with the example un in the link above is the HW address.
Is it really necessary to declare HW address of device ? Circut-id match is
not enough ?






--
Sent from: http://isc-dhcp-users.2343191.n4.nabble.com/
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

Hi Remi

So it looks like the circuit-id is not matching. Can you do a packet
trace and verify the exact content of the circuit-id values? Perhaps
there is a trailing non-print character? Is it possible the initial
packet is getting through - the one without the added circuit-id?

I can see the customer's hardware limitations, but it seems to me a
different switch with inbuilt dhcp-relay would make this a very simple
solution. :(

regards,
Glenn

On 2020-11-23 22:31, remi rsd wrote: _______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

remi rsd <[hidden email]> wrote:

Just be aware that class statements  are global in scope no matter where in the config file you place them. It's best to define them in the global scope to avoid confusion - in more complex setups it can cause some "interesting" option inheritance problems.

Simon

_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users