具有多个网络接口和不同子网的 DHCP 服务器

tag-icon tag-icon debian vmware-esxi dhcp subnet
具有多个网络接口和不同子网的 DHCP 服务器

我正在尝试设置一个具有 4 个网络接口的 dhcp 服务器(debian 8 上的 isc dhcpd(esxi 环境中的 vm)),eth0-3. DHCP 服务器应该在接口上为不同的子网提供服务eth1eth2eth3. 每个子网都有自己的vSwitch(vSphere),dhcp服务器与每个vSwitch连接。

网络接口设置如下:

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.1

auto eth1
iface eth1 inet static
    address 10.0.0.1
    netmask 255.255.255.0
    network 10.0.0.0
    broadcast 10.0.0.255

auto eth2
iface eth2 inet static
    address 172.16.0.1
    netmask 255.255.255.0
    network 172.16.0.0
    broadcast 172.16.0.255

auto eth3
iface eth3 inet static
    address 10.0.1.1
    netmask 255.255.255.0
    network 10.0.1.0
    broadcast 10.0.1.255

当前 dhcpd 配置如下:

# dhcpd.conf

default-lease-time 600;
max-lease-time 7200;

subnet 172.16.0.0 netmask 255.255.255.0 {
    range 172.16.0.2 172.16.0.100;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 172.16.0.1;
    option routers 172.16.0.1;
    option broadcast-address 172.16.0.255;
}

subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.2 10.0.0.100;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 10.0.0.1;
    option routers 10.0.0.1;
    option broadcast-address 10.0.0.255;
}

subnet 10.0.1.0 netmask 255.255.255.0 {
    range 10.0.1.2 10.0.1.100;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 10.0.1.1;
    option routers 10.0.1.1;
    option broadcast-address 10.0.1.255;
}

最后,dhcpd 初始化脚本如下所示:

# /etc/default/isc-dhcp-server

DHCPD_CONF=/etc/dhcp/dhcpd.conf
DHCPD_PID=/var/run/dhcpd.pid
INTERFACES="eth1 eth2 eth3"

到目前为止一切顺利。但是,目前的情况是客户端仅通过 eth1 接口获取 dhcp 流量。其他两个网络接口被忽略。即使我从 isc-dhcp-server init 脚本中删除 eth1,它仍被使用并提供 ip 地址:

isc-dhcp-server[1467]: Starting ISC DHCP server: dhcpd.
dhcpd: DHCPDISCOVER from 00:0a:26:37:6f:12 via eth1
dhcpd: DHCPOFFER on 10.0.0.2 to 00:0a:26:37:6f:12 (client0) via eth1
dhcpd: DHCPREQUEST for 10.0.0.2 (10.0.0.1) from 00:0a:26:37:6f:12 (client0) via eth1
dhcpd: DHCPACK on 10.0.0.2 to 00:0a:26:37:6f:12 (client0) via eth1

我如何确保某个网络/子网仅使用特定网络接口提供服务?DHCP 服务器如何知道哪个客户端属于哪个子网?我知道我可以使用主机符号(硬件地址、主机名等)为子网指定主机。但是,对我来说,这违背了 DHCP 的目的,因为我希望能够动态分配 IP 地址,而无需在向子网添加新客户端时触及 DHCP 配置。

答案1

因此,我们来简单解释一下发生了什么。请注意,我强烈建议在测试环境中运行配置,以确保一切按您希望的方式运行!

编辑:还请注意,您的交换机需要正确配置。我们使用的是 CISCO 交换机。要生成 OMAPI 密钥,您可以按照以下步骤操作指南1或者指南2

怎么做isc-dhcp 服务器在多个子网上监听。本迷你指南将为您提供基本的配置思路和一些额外的材料,以便您完全了解正在发生的事情。

dhcpd.conf:

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
     secret your-secret-key;
}

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
# option domain-name-servers x.x.x.x,y.y.y.y;
option netbios-node-type 2;

default-lease-time 7200;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# Failover Configuration

failover peer "failover-partner" {
        primary;
        # this servers ip address
        address A.A.A.A;
        port 519;
        # dhcp failover ip address
        peer address B.B.B.B;
        peer port 520;
        max-response-delay 60;
        max-unacked-updates 10;
        mclt 3600;
        split 128;
        load balance max seconds 3;
}

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

# here we include specific configuration files for our different subnets.
# I'll provide an example for a configuration file, all other subnet configuration files
# are (in my scenario) written the same way.

include "/etc/dhcp/X.Y.1.Z.conf";
include "/etc/dhcp/X.Y.2.Z.conf";
include "/etc/dhcp/X.Y.3.Z.conf";

XY1.Z.conf:

#____________________________________
# subnet information  X.Y.1.0/24
#____________________________________
subnet X.Y.1.0 netmask 255.255.255.0 {
        deny client-updates;
        deny unknown-clients;
        # gateway of this subnet  
        option routers X.Y.1.254;
        # DNS server(s)
        option domain-name-servers 123.123.123.1, 123.123.123.2;
        # search domain(s) for this subnet. Needs the "" to work!
        option domain-search "domain1", "domain2";
        # name of domain of this subnet (if exists, otherwise comment out)
        option domain-name "mydomain";
        # ntp server if you are running one
        option ntp-servers X.Y.Z.254;
        default-lease-time 86400;
        max-lease-time 86400;

        group {
            use-host-decl-names on;

            # Infodisplay
            host dns-name-1 {
            # mac address of client
                hardware ethernet 00:00:00:00:00:00;
            # ip address the above mac address will receive
                fixed-address 123.123.123.1;
            }
       }

子网的其他配置文件同样构建。如果您在 ESXi 中运行 DHCP VM,请确保使 VM 可供所有网络/VLAN 使用。isc-dhcp 服务器然后需要监听所有预期的网络,以便它可以在一个 isc-dhcp-server 运行实例中处理不同的子网。如果您想避免停机或网络不工作,当然可以运行第二个虚拟机isc-dhcp 服务器在从属模式下如下:

从属 dhcpd.conf:

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
     secret your-secret-key;
}

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
# option domain-name-servers x.x.x.x,y.y.y.y;
option netbios-node-type 2;

default-lease-time 7200;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# Failover Configuration

failover peer "failover-partner" {
        primary;
        # this servers ip address
        address B.B.B.B;
        port 519;
        # dhcp master ip address
        peer address A.A.A.A;
        peer port 520;
        max-response-delay 60;
        max-unacked-updates 10;
        mclt 3600;
        split 128;
        load balance max seconds 3;
}

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

# here we include specific configuration files for our different subnets.
# I'll provide an example for a configuration file, all other subnet configuration files
# are (in my scenario) written the same way.

include "/etc/dhcp/X.Y.1.Z.conf";
include "/etc/dhcp/X.Y.2.Z.conf";
include "/etc/dhcp/X.Y.3.Z.conf";

确保密钥两台机器上都相同,否则客户服务器如果服务器发生故障并且需要从属服务器接管 dhcp 功能,则无法通信甚至无法进行故障转移切换。


如果您有硬件/设置选项,请在实验环境中设置所有这些。

请不要立即在生产环境中运行此程序

您可以在几秒钟内停止让您的网络客户端工作,而这是您的老板所不愿意看到的。

相关内容