vlan10---->firewall----->linux dhcp server
vlan20---------↑
我有两个 vlan(vlan10 和 vlan20),我想使用 Linux DHCP 服务器来集中分配 IP 地址。
在 Fortigate 防火墙中,我使用 dhcp 中继为客户端获取 dhcp ip。
在 linux dhcp 服务器中我使用 [host] 部分来限制客户端获取静态 ip 并允许已知主机获取动态 ip。
########## config start #########
subnet 192.168.10.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
option domain-name-servers 192.168.8.248,192.168.8.246;
option routers 192.168.10.1;
allow unknown-clients;
range 192.168.10.11 192.168.10.210;
}
subnet 192.168.20.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option domain-name-servers 192.168.8.248,192.168.8.246;
option routers 192.168.20.1;
deny unknown-clients;
range 192.168.20.11 192.168.20.210;
}
host host1 {
hardware ethernet 11:11:11:11:11:11;
fixed-address 192.168.10.20;
}
host host2 {
hardware ethernet 22:22:22:22:22:22;
fixed-address 192.168.10.21;
}
host host3 {
hardware ethernet 33:33:33:33:33:33;
fixed-address 192.168.20.20;
}
host host4 {
hardware ethernet 44:44:44:44:44:44;
}
########## config end #########
在这种配置中,所有客户端都可以从 vlan10 或 vlan20 获取 ip,但我希望 host4 只能在 vlan20 中获取动态 ip。
当host4连接到vlan10时,host4无法从dhcp服务器获取任何ip地址。
我该如何修改配置?
答案1
虽然我目前无法测试这一点,并且可能需要对语法进行一些调整,您可能能够使用“组”定义并列出 vlan10 和 vlan20 组中的所有客户端,但在 vlan10 文件中,您告诉 host4“拒绝启动;”应该可以做到。
我目前无法亲自测试这一点,但也许值得一试?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-dhcp-configuring-server.html#group https://www.daemon-systems.org/man/dhcpd.conf.5.html拒绝启动
您可能还想看看“includes”指令是否有效,因此您可以执行以下操作:
dhcp.conf:
option domain-name-servers 192.168.8.248,192.168.8.246;
include "/etc/dhcp/vlan10.txt"
include "/etc/dhcp/vlan20.txt"
VLAN10.txt
group {
subnet 192.168.10.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
option routers 192.168.10.1;
allow unknown-clients;
range 192.168.10.11 192.168.10.210;
include "/etc/dhcp/vlan10.hosts.txt"
include "/etc/dhcp/vlan10.deny.hosts.txt"
}
}
VLAN20.txt
group {
subnet 192.168.20.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option routers 192.168.20.1;
deny unknown-clients;
range 192.168.20.11 192.168.20.210;
include "/etc/dhcp/vlan10.hosts.txt"
include "/etc/dhcp/vlan20.hosts.txt"
}
}
vlan10.主机.txt
host host1 { hardware ethernet 11:11:11:11:11:11; fixed-address 192.168.10.20; }
host host2 { hardware ethernet 22:22:22:22:22:22; fixed-address 192.168.10.21; }
host host3 { hardware ethernet 33:33:33:33:33:33; fixed-address 192.168.20.20; }
vlan10.拒绝.主机.txt
host host4 { hardware ethernet 44:44:44:44:44:44; deny booting; }
vlan20.主机.txt
host host4 { hardware ethernet 44:44:44:44:44:44; }
答案2
也许创建一个与您的 host4 匹配的类,并在子网配置中添加一行“拒绝‘yourClass’的成员;”可能会有所帮助
一个例子 :
class "raspberry"
{
# match mac starting with b8:27:eb
match if substring(hardware, 1, 3) = b8:27:eb;
}
subnet 192.168.10.0 netmask 255.255.254.0 {
option routers 192.168.10.254;
pool {
range 192.168.10.11 192.168.10.210;
deny members of "raspberry";
}
}