[Dnsmasq-discuss] IP address based on switch port number (option 82)

Michael Rack michael.rack at rsm-freilassing.de
Mon Feb 15 08:24:40 GMT 2010


There is a realy easy solution for that :-) Join your desired ports to 
VLANs and create some subnets.

I just can't understand it, why you wish to seperate DHCP-IP-Addresses 
on each port?

Liebe Grüße aus Freilassing,

Michael Rack
RSM Freilassing
-- 
RSM Freilassing                 Tel.: +49 8654 607110
Nocksteinstr. 13                Fax.: +49 8654 670438
D-83395 Freilassing            www.rsm-freilassing.de


Am 14.02.2010 23:56, schrieb Ignacio.Bravo at belden.com:
>
>
> >>ebtables or iptables can be used to match the source MAC address and
> >>only accept inbound DHCP requests from the relay(s).  No change needed
> >>to dnsmasq.
>
> I did that also with Iptables and it works. But there is a drawback: 
> Not all ports really need option 82 (you can activate this switch 
> function per port so that some ports have a fixed IP and some others not)
> In that general case dnsmasq should receive broadcasts and unicasts. 
> Only some broadcasts should be discarded!
>
> I feel a good idea not checking circuit-remote ID tags on DHCP 
> requests (not only renewals), what do you think? doing this no problem 
> with renewals nor L2 relays. L3 relays would filter the broadcasts and 
> this change would not disturb (i may be wrong...)
>
> Should you be interested in captures from hanewin dhcp server in the 
> same scenario please let me know
>
> by the way, ISC also loops in this situation
>
> Simon: Of course I am eager to check any new code you could provide. I 
> am a newbie in linux, may you please (if possible) detail 
> commands/tools I should do/have to make&install any possible code? I 
> am on ubuntu
>
> Thanks again
> Ignacio
>
>
>
> From: 	"richardvoigt at gmail.com" <richardvoigt at gmail.com>
> To: 	Simon Kelley <simon at thekelleys.org.uk>
> Cc: 	Ignacio.Bravo at belden.com, dnsmasq-discuss at lists.thekelleys.org.uk
> Date: 	14/02/2010 21:02
> Subject: 	Re: [Dnsmasq-discuss] IP address based on switch port number 
> (option         82)
>
>
> ------------------------------------------------------------------------
>
>
>
> On Sun, Feb 14, 2010 at 1:53 PM, Simon Kelley 
> <simon at thekelleys.org.uk> wrote:
> > Ignacio.Bravo at belden.com wrote:
> >> Hello Simon, Thanks fo such a quick answer! Yes I detected that a bit
> >> later and the tag is set now.
> >> dhcp-range=net:ignacio,10.10.35.60,10.10.35.65
> >> dhcp-circuitid=ignacio,b9:06:00:00:01:01:01:03,
> >> dhcp-remoteid=ignacio,00:06:00:80:63:60:e1:64
> >>
> >> BUT IT STILL DOESNT WORK. the tag is set but i detected sort of a
> >> loop of discovers, NAKs and ACKs so that client does never get its IP
> >>  Please find enclosed log output (dnsmasq shows loop.txt) Every
> >> "dnsmasq: etiquetas: ignacio, eth0" tag is set (Spanish log, sorry)
> >>
> >> Please find enclosed capture file showing the loop (dhcp loop from
> >> wireshark at the server side): Relay: .251 server: .200
> >>
> >> Please take into account I have a layer2 network (client----L2switch
> >> acting as dhcp relay op82---dhcp server)
> >>
> >> I feel the problem is dnsmasq receives two requests at almost the
> >> same time (the broadcasted one which is Naked and the unicasted one
> >> Acked) Of course the NACk message restarts the process at the client
> >> side
> >
> >>
> >> Two questions: - Do you have any dnsmasq config solution for that
> >> (what´s the reason for the first request to be NAKed?)? I have
> >> experience with Hanewin and works ok in this topology without
> >> 'external help' I got one solution using iptables -A INPUT -i eth0 -p
> >> udp -s 0.0.0.0/32 -d 255.255.255.255/32 --dport 67 -j DROP (i do
> >> filter any broadcasted request or discover)
> > You are right. It's getting one request direct (without going through
> > the relay in the switch) and one request from the relay. Only the
> > request that goes throught switch has the circuit-id and sets the tag.
> > Without the tag, the dhcp-range is not avilable, so it causes an error.
> >
> > Part of this problem is the strange setup you have where the clients are
> > in the same broadcast domain as the server, _and_ you have the DHCP
> > relay. Even without that there's still a problem because clients will do
> > DHCP renewals direct/unicast without using the relay - that will fail.
> >
> > Some switches can be configured to do transparent option-82 addition to
> > _all_ DHCP packets without doing the relay function. That would fix the
> > problem if your switch can do it.
> >
> > I'm going to have to think about code changes to fix this in the general
> > case. Are you able to compile and test new versions of dnsmasq?
>
> ebtables or iptables can be used to match the source MAC address and
> only accept inbound DHCP requests from the relay(s).  No change needed
> to dnsmasq.
>
> >
> >> - does dnsmasq.conf do an AND with dhcp-circuitid
> > dhcp-remoteid values?, I mean,
> >> should I have more than one switch could dnsmasq sort the first port
> >> of the first switch and the first port at the second switch?
> >
> > Yes, you can do that: The AND function is in dhcp-range: set tags for
> > each switch and port and use a switch tag and a port tag in dhcp-range
> >
> > dhcp-range=net:switch-1,net:port-1,192.168.7.1,192.168.7.4,255.255.255.0
> >
> > Cheers,
> >
> > Simon.
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> DISCLAIMER: Privileged and/or Confidential information may be 
> contained in this message. If you are not the addressee of this 
> message, you may not copy, use or deliver this message to anyone. In 
> such event, you should destroy the message and kindly notify the 
> sender by reply e-mail. It is understood that opinions or conclusions 
> that do not relate to the official business of the company are neither 
> given nor endorsed by the company. Thank You.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20100215/3adbcfa9/attachment.htm 


More information about the Dnsmasq-discuss mailing list