Linux DHCP 用于多个子网

Linux DHCP 用于多个子网
vlan10---->firewall----->linux dhcp server
vlan20---------↑

我有两个 vlan(vlan10 和 vlan20),我想使用 Linux DHCP 服务器来集中分配 IP 地址。

在 Fortigate 防火墙中,我使用 dhcp 中继为客户端获取 dhcp ip。

在 linux dhcp 服务器中我使用 [host] 部分来限制客户端获取静态 ip 并允许已知主机获取动态 ip。

########## config start #########

subnet 192.168.10.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
option domain-name-servers 192.168.8.248,192.168.8.246;
option routers 192.168.10.1;
allow unknown-clients;
range 192.168.10.11 192.168.10.210;
}

subnet 192.168.20.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option domain-name-servers 192.168.8.248,192.168.8.246;
option routers 192.168.20.1;
deny unknown-clients;
range 192.168.20.11 192.168.20.210;
}

host host1  {
       hardware ethernet 11:11:11:11:11:11;
       fixed-address 192.168.10.20;
}

host host2  {
       hardware ethernet 22:22:22:22:22:22;
       fixed-address 192.168.10.21;
}

host host3  {
       hardware ethernet 33:33:33:33:33:33;
       fixed-address 192.168.20.20;
}

host host4 {
       hardware ethernet 44:44:44:44:44:44;
}

########## config end #########

在这种配置中,所有客户端都可以从 vlan10 或 vlan20 获取 ip,但我希望 host4 只能在 vlan20 中获取动态 ip。

当host4连接到vlan10时,host4无法从dhcp服务器获取任何ip地址。

我该如何修改配置?

答案1

虽然我目前无法测试这一点,并且可能需要对语法进行一些调整,您可能能够使用“组”定义并列出 vlan10 和 vlan20 组中的所有客户端,但在 vlan10 文件中,您告诉 host4“拒绝启动;”应该可以做到。

我目前无法亲自测试这一点,但也许值得一试?

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-dhcp-configuring-server.html#group https://www.daemon-systems.org/man/dhcpd.conf.5.html拒绝启动

您可能还想看看“includes”指令是否有效,因此您可以执行以下操作:

dhcp.conf:

option domain-name-servers 192.168.8.248,192.168.8.246;
include "/etc/dhcp/vlan10.txt"
include "/etc/dhcp/vlan20.txt"

VLAN10.txt

group {
subnet 192.168.10.0 netmask 255.255.255.0 { 
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
option routers 192.168.10.1;
allow unknown-clients;
range 192.168.10.11 192.168.10.210;
include "/etc/dhcp/vlan10.hosts.txt"
include "/etc/dhcp/vlan10.deny.hosts.txt"
 }
}

VLAN20.txt

group {
subnet 192.168.20.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option routers 192.168.20.1;
deny unknown-clients;
range 192.168.20.11 192.168.20.210;
include "/etc/dhcp/vlan10.hosts.txt"
include "/etc/dhcp/vlan20.hosts.txt"
 }
}

vlan10.主机.txt

host host1 { hardware ethernet 11:11:11:11:11:11; fixed-address 192.168.10.20; }

host host2 { hardware ethernet 22:22:22:22:22:22; fixed-address 192.168.10.21; }

host host3 { hardware ethernet 33:33:33:33:33:33; fixed-address 192.168.20.20; }

vlan10.拒绝.主机.txt

host host4 { hardware ethernet 44:44:44:44:44:44; deny booting; }

vlan20.主机.txt

host host4 { hardware ethernet 44:44:44:44:44:44; }

答案2

也许创建一个与您的 host4 匹配的类,并在子网配置中添加一行“拒绝‘yourClass’的成员;”可能会有所帮助

一个例子 :

class "raspberry"
{
    # match mac starting with b8:27:eb
    match if substring(hardware, 1, 3) = b8:27:eb;
}

subnet 192.168.10.0 netmask 255.255.254.0 {
    option routers 192.168.10.254;
    pool {
        range 192.168.10.11 192.168.10.210;
        deny members of "raspberry";
    }
}

相关内容