具有多個網路介面和不同子網的 DHCP 伺服器
我正在嘗試設置具有 4 個網路介面eth0-3的 dhcp 伺服器(debian 8 上的 isc dhcpd(esxi 環境中的 vm)) 。dhcp 伺服器應該在eth1、eth2、eth3介面上為不同的子網提供服務。每個子網都有自己的 vSwitch (vSphere),並且 dhcp 伺服器連接到每個 vSwitch。
網路介面設置如下所示:
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.100 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 auto eth1 iface eth1 inet static address 10.0.0.1 netmask 255.255.255.0 network 10.0.0.0 broadcast 10.0.0.255 auto eth2 iface eth2 inet static address 172.16.0.1 netmask 255.255.255.0 network 172.16.0.0 broadcast 172.16.0.255 auto eth3 iface eth3 inet static address 10.0.1.1 netmask 255.255.255.0 network 10.0.1.0 broadcast 10.0.1.255
目前的 dhcpd 配置如下所示:
# dhcpd.conf default-lease-time 600; max-lease-time 7200; subnet 172.16.0.0 netmask 255.255.255.0 { range 172.16.0.2 172.16.0.100; option subnet-mask 255.255.255.0; option domain-name-servers 172.16.0.1; option routers 172.16.0.1; option broadcast-address 172.16.0.255; } subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.2 10.0.0.100; option subnet-mask 255.255.255.0; option domain-name-servers 10.0.0.1; option routers 10.0.0.1; option broadcast-address 10.0.0.255; } subnet 10.0.1.0 netmask 255.255.255.0 { range 10.0.1.2 10.0.1.100; option subnet-mask 255.255.255.0; option domain-name-servers 10.0.1.1; option routers 10.0.1.1; option broadcast-address 10.0.1.255; }
最後,dhcpd 初始化腳本如下所示:
# /etc/default/isc-dhcp-server DHCPD_CONF=/etc/dhcp/dhcpd.conf DHCPD_PID=/var/run/dhcpd.pid INTERFACES="eth1 eth2 eth3"
到現在為止還挺好。但是,目前發生的情況是客戶端只能通過 eth1 介面獲取 dhcp 流量。其他兩個網路介面被忽略。即使我從 isc-dhcp-server 初始化腳本中刪除 eth1,它仍然被使用並提供 IP 地址:
isc-dhcp-server[1467]: Starting ISC DHCP server: dhcpd. dhcpd: DHCPDISCOVER from 00:0a:26:37:6f:12 via eth1 dhcpd: DHCPOFFER on 10.0.0.2 to 00:0a:26:37:6f:12 (client0) via eth1 dhcpd: DHCPREQUEST for 10.0.0.2 (10.0.0.1) from 00:0a:26:37:6f:12 (client0) via eth1 dhcpd: DHCPACK on 10.0.0.2 to 00:0a:26:37:6f:12 (client0) via eth1
如何確保某個網路/子網僅使用特定的網路介面提供服務?dhcp 伺服器如何知道,哪個客戶端屬於哪個子網?我知道我可以使用主機符號(硬體地址、主機名等)為子網指定主機。但是,對我來說,這違背了 dhcp 的目的,因為我希望能夠動態分配 ip 地址,而無需在將新客戶端添加到子網時觸及 dhcp 配置。
因此,我們在這裡稍微解釋一下會發生什麼。請注意,我強烈建議在測試環境中執行配置,以確保一切正常!
編輯:還請注意,您的交換機需要正確配置。我們正在使用 CISCO 交換機。要生成 OMAPI 密鑰,您可以按照guide1或guide2 進行操作。
如何讓isc-dhcp-server監聽多個子網。這個迷你指南將為您提供基本的配置理念和一些額外的材料供您閱讀以充分了解正在發生的事情。
dhcpd.conf:
omapi-port 7911; omapi-key omapi_key; key omapi_key { algorithm hmac-md5; secret your-secret-key; } # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none; # option definitions common to all supported networks... # option domain-name-servers x.x.x.x,y.y.y.y; option netbios-node-type 2; default-lease-time 7200; max-lease-time 7200; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # Failover Configuration failover peer "failover-partner" { primary; # this servers ip address address A.A.A.A; port 519; # dhcp failover ip address peer address B.B.B.B; peer port 520; max-response-delay 60; max-unacked-updates 10; mclt 3600; split 128; load balance max seconds 3; } # No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology. # here we include specific configuration files for our different subnets. # I'll provide an example for a configuration file, all other subnet configuration files # are (in my scenario) written the same way. include "/etc/dhcp/X.Y.1.Z.conf"; include "/etc/dhcp/X.Y.2.Z.conf"; include "/etc/dhcp/X.Y.3.Z.conf";
XY1.Z.conf:
#____________________________________ # subnet information X.Y.1.0/24 #____________________________________ subnet X.Y.1.0 netmask 255.255.255.0 { deny client-updates; deny unknown-clients; # gateway of this subnet option routers X.Y.1.254; # DNS server(s) option domain-name-servers 123.123.123.1, 123.123.123.2; # search domain(s) for this subnet. Needs the "" to work! option domain-search "domain1", "domain2"; # name of domain of this subnet (if exists, otherwise comment out) option domain-name "mydomain"; # ntp server if you are running one option ntp-servers X.Y.Z.254; default-lease-time 86400; max-lease-time 86400; group { use-host-decl-names on; # Infodisplay host dns-name-1 { # mac address of client hardware ethernet 00:00:00:00:00:00; # ip address the above mac address will receive fixed-address 123.123.123.1; } }
子網的其他配置文件同樣建構。如果您在 ESXi 中執行 DHCP 虛擬機,請確保該虛擬機可用於您的所有網路/VLAN。然後,isc-dhcp-server需要偵聽它預期的所有網路,以便它可以在一個執行的 isc-dhcp-server 實例中處理所有不同的子網。如果您想省略停機時間或非工作網路,您當然可以使用isc-dhcp-server在從屬模式下執行第二個 VM,如下所示:
從屬 dhcpd.conf:
omapi-port 7911; omapi-key omapi_key; key omapi_key { algorithm hmac-md5; secret your-secret-key; } # The ddns-updates-style parameter controls whether or not the server will # attempt to do a DNS update when a lease is confirmed. We default to the # behavior of the version 2 packages ('none', since DHCP v2 didn't # have support for DDNS.) ddns-update-style none; # option definitions common to all supported networks... # option domain-name-servers x.x.x.x,y.y.y.y; option netbios-node-type 2; default-lease-time 7200; max-lease-time 7200; # If this DHCP server is the official DHCP server for the local # network, the authoritative directive should be uncommented. authoritative; # Use this to send dhcp log messages to a different log file (you also # have to hack syslog.conf to complete the redirection). log-facility local7; # Failover Configuration failover peer "failover-partner" { primary; # this servers ip address address B.B.B.B; port 519; # dhcp master ip address peer address A.A.A.A; peer port 520; max-response-delay 60; max-unacked-updates 10; mclt 3600; split 128; load balance max seconds 3; } # No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology. # here we include specific configuration files for our different subnets. # I'll provide an example for a configuration file, all other subnet configuration files # are (in my scenario) written the same way. include "/etc/dhcp/X.Y.1.Z.conf"; include "/etc/dhcp/X.Y.2.Z.conf"; include "/etc/dhcp/X.Y.3.Z.conf";
確保兩台機器上的密鑰相同,否則客戶端和伺服器無法通信,甚至在伺服器出現故障時甚至無法進行故障轉移切換,並且預計從機將接管 dhcp 功能。
如果您有硬體/設置選項,請在實驗環境中設置所有這些。
請不要立即在生產環境中執行它。
您可以在幾秒鐘內停止讓您的網路客戶端工作,而這是您的老闆不喜歡的。