Option 82 problem

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Option 82 problem

Александр Сандецкий
Hi!

I have a problem with option 82 configuration.

I have managed switch with IP 10.10.0.38 (managed VLAN 100). There is additional VLANs configured for clients: VLAN 3000 and 3010. There is option 82 and DHCP relay configured on the switch.

I have DHCP server placed in VLAN 3000 with IP 172.18.0.101

I want to DHCP server serves the VLAN 3010 (and other) on per-VLAN basis.

The part of dhcpd.conf

class "VLAN3010" {
        match if binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)) = "3010"
    }


subnet 172.18.10.0 netmask 255.255.255.0 {
    option routers  172.18.0.1;

    pool {
            range 172.18.10.51 172.18.10.250;
            allow members of "VLAN3010";
    }
}


The server receives request as  
DHCPDISCOVER from 2c:27:d7:b1:a2:85 via 10.10.0.38: network 10.10.0.0/24: no free leases



I have checked with Wireshark

   Option: (82) Agent Information Option
        Length: 18
        Option 82 Suboption: (1) Agent Circuit ID
            Length: 6
            Agent Circuit ID: 00040bc20003
        Option 82 Suboption: (2) Agent Remote ID
            Length: 8
            Agent Remote ID: 00068026897b2b40

There is binary encoded agent circuit id that contains "0bc2" bytes that equal to "3010" in decimal.

Why my class definition does not accept this request? What is wrong?



--

Regards,
Alexander 

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Patrick Trapp
Hello, Alexander.

It's been a while since I've worked with this, but I believe your use of substring might be incorrect. I think the parameters should be indicating what position in the string to start matching and how many characters to match - your current substring is matching two characters starting on the second position, but it appears that the system is reporting the agent-id as six characters - if that's true, then your agent-id value is starting on position three rather than position 2. I would give that a test.

That said, my experiences with option-82 have been using a string, not a number, so my experiences may not apply.

Patrick

From: dhcp-users <[hidden email]> on behalf of Александр Сандецкий <[hidden email]>
Sent: Friday, April 17, 2020 9:18 AM
To: [hidden email] <[hidden email]>
Subject: Option 82 problem
 

CAUTION: This email originated from outside of the company. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Hi!

I have a problem with option 82 configuration.

I have managed switch with IP 10.10.0.38 (managed VLAN 100). There is additional VLANs configured for clients: VLAN 3000 and 3010. There is option 82 and DHCP relay configured on the switch.

I have DHCP server placed in VLAN 3000 with IP 172.18.0.101

I want to DHCP server serves the VLAN 3010 (and other) on per-VLAN basis.

The part of dhcpd.conf

class "VLAN3010" {
        match if binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)) = "3010"
    }


subnet 172.18.10.0 netmask 255.255.255.0 {
    option routers  172.18.0.1;

    pool {
            range 172.18.10.51 172.18.10.250;
            allow members of "VLAN3010";
    }
}


The server receives request as  
DHCPDISCOVER from 2c:27:d7:b1:a2:85 via 10.10.0.38: network 10.10.0.0/24: no free leases



I have checked with Wireshark

   Option: (82) Agent Information Option
        Length: 18
        Option 82 Suboption: (1) Agent Circuit ID
            Length: 6
            Agent Circuit ID: 00040bc20003
        Option 82 Suboption: (2) Agent Remote ID
            Length: 8
            Agent Remote ID: 00068026897b2b40

There is binary encoded agent circuit id that contains "0bc2" bytes that equal to "3010" in decimal.

Why my class definition does not accept this request? What is wrong?



--

Regards,
Alexander 

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Bob Harold
In reply to this post by Александр Сандецкий

On Fri, Apr 17, 2020 at 10:18 AM Александр Сандецкий <[hidden email]> wrote:
Hi!

I have a problem with option 82 configuration.

I have managed switch with IP 10.10.0.38 (managed VLAN 100). There is additional VLANs configured for clients: VLAN 3000 and 3010. There is option 82 and DHCP relay configured on the switch.

I have DHCP server placed in VLAN 3000 with IP 172.18.0.101

I want to DHCP server serves the VLAN 3010 (and other) on per-VLAN basis.

The part of dhcpd.conf

class "VLAN3010" {
        match if binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)) = "3010"
    }


subnet 172.18.10.0 netmask 255.255.255.0 {
    option routers  172.18.0.1;

    pool {
            range 172.18.10.51 172.18.10.250;
            allow members of "VLAN3010";
    }
}


The server receives request as  
DHCPDISCOVER from 2c:27:d7:b1:a2:85 via 10.10.0.38: network 10.10.0.0/24: no free leases

 
The packet came from 10.10.0.38, which is not in the subnet, so even if the class matched, it would not get an IP from that subnet.
As it says, network 10.10.0.0/24 has no free leases

-- 
Bob Harold
 


I have checked with Wireshark

   Option: (82) Agent Information Option
        Length: 18
        Option 82 Suboption: (1) Agent Circuit ID
            Length: 6
            Agent Circuit ID: 00040bc20003
        Option 82 Suboption: (2) Agent Remote ID
            Length: 8
            Agent Remote ID: 00068026897b2b40

There is binary encoded agent circuit id that contains "0bc2" bytes that equal to "3010" in decimal.

Why my class definition does not accept this request? What is wrong?



--

Regards,
Alexander 
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Tony Finch
In reply to this post by Patrick Trapp
Александр Сандецкий <[hidden email]> wrote:

> match if binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)) = "3010"

I think the problem is that this 8 needs to be 16.

The substring() returns 2 octets (16 bits) which you expect to be
0x0bc2 = 3010

You are telling binary-to-ascii() to use base 10, chunks of 8 bits,
separator "", so its result will be (I think) 11194 because 0x0b = 11
and 0xc2 = 194

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Humber, Thames: Northeast 4 or 5, occasionally 6 until later in Thames.
Moderate, becoming slight later in Thames. Showers, mainly in Thames. Good,
occasionally moderate.
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Patrick Trapp
LOL - I knew as soon as I tried to answer, someone that knew something would correct me. Sorry to mislead you, Alexander.

From: dhcp-users <[hidden email]> on behalf of Tony Finch <[hidden email]>
Sent: Friday, April 17, 2020 11:33 AM
To: Users of ISC DHCP <[hidden email]>
Subject: Re: Option 82 problem
 
CAUTION: This email originated from outside of the company. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Александр Сандецкий <[hidden email]> wrote:

> match if binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)) = "3010"

I think the problem is that this 8 needs to be 16.

The substring() returns 2 octets (16 bits) which you expect to be
0x0bc2 = 3010

You are telling binary-to-ascii() to use base 10, chunks of 8 bits,
separator "", so its result will be (I think) 11194 because 0x0b = 11
and 0xc2 = 194

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/
Humber, Thames: Northeast 4 or 5, occasionally 6 until later in Thames.
Moderate, becoming slight later in Thames. Showers, mainly in Thames. Good,
occasionally moderate.

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Simon Hobson
In reply to this post by Александр Сандецкий
Александр Сандецкий <[hidden email]> wrote:

> I have a problem with option 82 configuration.

Actually, I suspect the thing you do not have a problem with is Option 82 !

> I have managed switch with IP 10.10.0.38 (managed VLAN 100). There is additional VLANs configured for clients: VLAN 3000 and 3010. There is option 82 and DHCP relay configured on the switch.
>
> I have DHCP server placed in VLAN 3000 with IP 172.18.0.101
>
> I want to DHCP server serves the VLAN 3010 (and other) on per-VLAN basis.

Does the ROUTER serving the VLANs have IP addresses in those VLANs ? Do you even have routing set up yet ? Note that a MANAGED SWITCH is not the same thing as a ROUTER - though you can get devices (typically called something like "Layer 3 switch") that include both functions. Without a router (or routing function built into the switch), what the VLAN config gives you is a stack of separate LANs - almost as though you had a stack of switches, one per LAN.
Before trying to sort out the DHCP - make sure you have the routing sorted. If you manually configure a client on the 3010 VLAN (I assume this will be an access port) in the 172.18.10.0/24, can it ping the server at 172.18.0.101 ? If not, fix that first; if it can, use traceroute and check that it is in fact routing via a router and not accidentally going direct (there are ways of making the cross-subnet traffic work other than routing it).

Summary : You will need a router configured with interfaces in VLAN 3000 and VLAN 3010, with IPs in the 172.18.0.0/24 and 172.18.10.0/24 subnets respectively. it will probably also have an interface on VLAN 100 in subnet 10.10.0.0/?? to allow you access to manage the switch.
When you have this working, and you configure the DHCP Relay agent, then things should "just work".

> The part of dhcpd.conf
>
> class "VLAN3010" {
>         match if binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)) = "3010"
>     }
>
>
> subnet 172.18.10.0 netmask 255.255.255.0 {
>     option routers  172.18.0.1;
>
>     pool {
>             range 172.18.10.51 172.18.10.250;
>             allow members of "VLAN3010";
>     }
> }

That is not how you serve VLANs. For the VLAN stated, all you need is :
subnet 172.18.10.0 netmask 255.255.255.0 {
    option routers  172.18.0.1;

    pool {
            range 172.18.10.51 172.18.10.250;
    }
}
When requests come from a relay agent in the 172.18.10.0/24 subnet, it will automagically select the right subnet and hand out a suitable address. Note that the relay agent does not have to be in the router, but it MUST have an IP address in the network it's serving - it's just that this is usually most conveniently done as an integral part of the routing.

> The server receives request as  
> DHCPDISCOVER from 2c:27:d7:b1:a2:85 via 10.10.0.38: network 10.10.0.0/24: no free leases

This suggests to me that you have not correctly configured your switch and router. For that client, you should NOT see a request coming from 10.10.0.0/24 subnet.

Simon

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Александр Сандецкий
Hi, SImon.

Thank you for detailed description.

Actually I do not fully understand how it works. My hardware vendor say me that Option 82 MUST be configured on the edge (client access ) switches but you says (as I can understand) that it must be configured somewhere on the "main" (core) ROUTER, not every switch. Your concept more prefferable for me. It more manageable and more simple for configuration. I will try it.

пт, 17 апр. 2020 г. в 21:04, Simon Hobson <[hidden email]>:
Александр Сандецкий <[hidden email]> wrote:

> I have a problem with option 82 configuration.

Actually, I suspect the thing you do not have a problem with is Option 82 !

> I have managed switch with IP 10.10.0.38 (managed VLAN 100). There is additional VLANs configured for clients: VLAN 3000 and 3010. There is option 82 and DHCP relay configured on the switch.
>
> I have DHCP server placed in VLAN 3000 with IP 172.18.0.101
>
> I want to DHCP server serves the VLAN 3010 (and other) on per-VLAN basis.

Does the ROUTER serving the VLANs have IP addresses in those VLANs ? Do you even have routing set up yet ? Note that a MANAGED SWITCH is not the same thing as a ROUTER - though you can get devices (typically called something like "Layer 3 switch") that include both functions. Without a router (or routing function built into the switch), what the VLAN config gives you is a stack of separate LANs - almost as though you had a stack of switches, one per LAN.
Before trying to sort out the DHCP - make sure you have the routing sorted. If you manually configure a client on the 3010 VLAN (I assume this will be an access port) in the 172.18.10.0/24, can it ping the server at 172.18.0.101 ? If not, fix that first; if it can, use traceroute and check that it is in fact routing via a router and not accidentally going direct (there are ways of making the cross-subnet traffic work other than routing it).

Summary : You will need a router configured with interfaces in VLAN 3000 and VLAN 3010, with IPs in the 172.18.0.0/24 and 172.18.10.0/24 subnets respectively. it will probably also have an interface on VLAN 100 in subnet 10.10.0.0/?? to allow you access to manage the switch.
When you have this working, and you configure the DHCP Relay agent, then things should "just work".

> The part of dhcpd.conf
>
> class "VLAN3010" {
>         match if binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)) = "3010"
>     }
>
>
> subnet 172.18.10.0 netmask 255.255.255.0 {
>     option routers  172.18.0.1;
>
>     pool {
>             range 172.18.10.51 172.18.10.250;
>             allow members of "VLAN3010";
>     }
> }

That is not how you serve VLANs. For the VLAN stated, all you need is :
subnet 172.18.10.0 netmask 255.255.255.0 {
    option routers  172.18.0.1;

    pool {
            range 172.18.10.51 172.18.10.250;
    }
}
When requests come from a relay agent in the 172.18.10.0/24 subnet, it will automagically select the right subnet and hand out a suitable address. Note that the relay agent does not have to be in the router, but it MUST have an IP address in the network it's serving - it's just that this is usually most conveniently done as an integral part of the routing.

> The server receives request as 
> DHCPDISCOVER from 2c:27:d7:b1:a2:85 via 10.10.0.38: network 10.10.0.0/24: no free leases

This suggests to me that you have not correctly configured your switch and router. For that client, you should NOT see a request coming from 10.10.0.0/24 subnet.

Simon

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users


--

С Уважением,
Сандецкий Александр

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Simon Hobson
Александр Сандецкий <[hidden email]> wrote:

> Actually I do not fully understand how it works. My hardware vendor say me that Option 82 MUST be configured on the edge (client access ) switches but you says (as I can understand) that it must be configured somewhere on the "main" (core) ROUTER, not every switch. Your concept more prefferable for me.

I suspect something has been lost in translation because you DO NOT NEED OPTION82 AT ALL for DHCP to work. You do not need it on edge switches, you do not need it on a core switch.

To clarify a bit ...
treat each VLAN as if it was a separate LAN - conceptually think of a VLAN enabled switch as a stack of "simple" switches. At some point, you need a router to link those networks together - but instead of needing a router with lots of ports (one per network), when using VLANs you can combine all the VLANs down one cable with the ports on each end in trunk mode.
Once you have the basics working (any device can reach any other device, firewall/access rules permitting, then you can consider DHCP. The only requirement there is that the DHCP server has a connection to at least one network (it can directly connect to more than one), and any network not directly connected to the DHCP server needs a Relay Agent to pick-up broadcasts from the clients and forward them to the server (and relay replies back again).

Simon


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Александр Сандецкий
Basic network services topology assumes that DHCP server exist in every network segment. In every VLAN in my case. It can be separate servers in network segments or single server with network interfaces gor every network. Or every VLAN configured on the server. This is a simple and clear idea. But in some cases it's not good (need to configure lot of vlans for ex.). But DHCP service offers the relaying technology. With combination of Option 82 it's common practice to setup single server with single network interface for DHCP. Option 82 can be used to classify clients by the switch (agent IP or MAC), by the switch port, by the vlan, etc.

Relaying assumes the dhcp query comes not from original device and original network segment but from some managed switch where client connected. With some additional information for identifying client and swithc.

My idea is to not to configure every vlan on the server. 

сб, 18 апр. 2020 г., 00:08 Simon Hobson <[hidden email]>:
Александр Сандецкий <[hidden email]> wrote:

> Actually I do not fully understand how it works. My hardware vendor say me that Option 82 MUST be configured on the edge (client access ) switches but you says (as I can understand) that it must be configured somewhere on the "main" (core) ROUTER, not every switch. Your concept more prefferable for me.

I suspect something has been lost in translation because you DO NOT NEED OPTION82 AT ALL for DHCP to work. You do not need it on edge switches, you do not need it on a core switch.

To clarify a bit ...
treat each VLAN as if it was a separate LAN - conceptually think of a VLAN enabled switch as a stack of "simple" switches. At some point, you need a router to link those networks together - but instead of needing a router with lots of ports (one per network), when using VLANs you can combine all the VLANs down one cable with the ports on each end in trunk mode.
Once you have the basics working (any device can reach any other device, firewall/access rules permitting, then you can consider DHCP. The only requirement there is that the DHCP server has a connection to at least one network (it can directly connect to more than one), and any network not directly connected to the DHCP server needs a Relay Agent to pick-up broadcasts from the clients and forward them to the server (and relay replies back again).

Simon


_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Tony Finch
Александр Сандецкий <[hidden email]> wrote:

> But DHCP service offers the relaying technology. With combination of
> Option 82 it's common practice to setup single server with single network
> interface for DHCP. Option 82 can be used to classify clients by the switch
> (agent IP or MAC), by the switch port, by the vlan, etc.
>
> Relaying assumes the dhcp query comes not from original device and original
> network segment but from some managed switch where client connected. With
> some additional information for identifying client and swithc.
>
> My idea is to not to configure every vlan on the server.
I look after some DHCP servers which handle about 150 subnets, and the
dhcpd.conf doesn't know anything about VLANs, only the network ranges -
it's mostly a collection of subnet{} clauses.

Our network configuration is handled by my colleagues, so I'm vague about
the details. But my understanding is that DHCP relaying is configured on
the routers. Normal DHCP requests are broadcasts, so they are limited to
the local subnet, relaying allows the request to be forwarded to a DHCP
server on a different subnet. So relaying is logically a router function
rather than a switch function.

We also use option 82, but the DHCP servers only use it to log information
about which switch an port number corresponds to which DHCP requests, not
for anything that determines the server's responses. So option 82 is
inserted by our switches, and logically unrelated to relaying.

What I'm vague about is the more complicated stuff on the switches related
to MAC security and DHCP snooping, and whether that messes with DHCP more
than I would expect...

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
democracy, participation, and the co-operative principle
_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users
Reply | Threaded
Open this post in threaded view
|

Re: Option 82 problem

Simon Hobson
Tony Finch <[hidden email]> wrote:

> I look after some DHCP servers which handle about 150 subnets, and the
> dhcpd.conf doesn't know anything about VLANs, only the network ranges -
> it's mostly a collection of subnet{} clauses.

Yes, as I was trying to explain to Alexander, Option 82 is not needed at all for DHCP to work.

> Our network configuration is handled by my colleagues, so I'm vague about
> the details. But my understanding is that DHCP relaying is configured on
> the routers. Normal DHCP requests are broadcasts, so they are limited to
> the local subnet, relaying allows the request to be forwarded to a DHCP
> server on a different subnet. So relaying is logically a router function
> rather than a switch function.

Correct - switches play no part in DHCP, the Relay Agents do and they are usually configured in the routers

> What I'm vague about is the more complicated stuff on the switches related
> to MAC security and DHCP snooping, and whether that messes with DHCP more
> than I would expect...

It shouldn't mess with DHCP. The snooping allows the switch to determine the IP address assigned to the attached device and so filter any other addresses and attached device might try to use.


Александр Сандецкий <[hidden email]> wrote:

> Basic network services topology assumes that DHCP server exist in every network segment. In every VLAN in my case. It can be separate servers in network segments or single server with network interfaces gor every network. Or every VLAN configured on the server. This is a simple and clear idea. But in some cases it's not good (need to configure lot of vlans for ex.). But DHCP service offers the relaying technology.

Correct so far.

> With combination of Option 82 it's common practice to setup single server with single network interface for DHCP. Option 82 can be used to classify clients by the switch (agent IP or MAC), by the switch port, by the vlan, etc.

No, Option 82 plays no part whatsoever in DHCP operations - unless you specifically need a complex setup. Given the problems you are experiencing, I would suggest that such a setup is beyond you at the moment - so get the basics working first, and only then look into more complicated stuff like using Option 82.

> Relaying assumes the dhcp query comes not from original device and original network segment but from some managed switch where client connected. With some additional information for identifying client and swithc.

NO, this is incorrect. Relaying requires a relay agent ANYWHERE in the broadcast domain for a network/subnet - which in this case is all the ports configured to a specific VLAN. As I've written already, this is usually configured in the router for convenience but this is not actually a requirement.

So for each VLAN, you need to configure a Relay agent to service that VLAN and forward the broadcast packets from client to server and back. The Relay Agent does not need to know anything whatsoever about the topology of the network - only have a direct connection and IP appropriate to the client network, and know the IP address(es) of the DHCP server that services the client network. Option 82 is not in any way involved with this.

> My idea is to not to configure every vlan on the server.

As above, you do not need to. Just configure a Relay Agent on any VLAN to which the server is not connected.


So to recap, this is what you need.

Your DHCP server, with a config which is as simple as :
# VLAN 3000
subnet 172.18.0.0 ... {
  router 172.18.0.1 ;
  range 172.18.0.10 172.18.0.200 ;
}
# VLAN 3010
subnet 172.18.10.0 ... {
  router 172.18.10.1 ;
  range 172.18.10.10 172.18.10.200 ;
};
and so on for each VLAN/subnet in your network.

For every subnet to which the server is not directly connected, configure a relay agent. The syntax for this varies according to the vendor/OS, for example on Cisco IOS you'd have :
ip helper-address a.b.c.d
But see https://lists.isc.org/pipermail/dhcp-users/2008-July/006832.html and if you enable a helper-address, you really need to disable a load of other stuff that gets forwarded by default - but be aware that things may have changed since I last dealt with Cisco stuff :
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip forward-protocol udp tftp

And that's it ! DHCP should work across the whole network with just these few ingredients.


Simon

_______________________________________________
dhcp-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/dhcp-users