Дерево страниц
Перейти к концу метаданных
Переход к началу метаданных

Description

It is suggested to use ISC-DHCP-SERVER free solution as a DHCP server. The solution allows performing the following tasks in relation to Eltex.SoftWLC project:

  • Assigning primary (external) IP addresses to access points with option 43 (suboptions 11 and 12) that makes it possible to create GRE tunnels to ESR.
  • Assigning secondary (management, tunnel) IP addresses to access points with option 43 (suboptions 10 and 13) for AP management, detection and automatic initialization.
  • Assigning IP addresses to Wi-Fi users connecting to access points.
  • DHCP clients classification using option 82, option 60 and giAddrField.

Starting/stopping procedure

To stop the service, the following command is used:

service isc-dhcp-server stop


To start the service after stopping:

service isc-dhcp-server start


To check the service status, use the command:

service isc-dhcp-server status


This will be followed by a message:

* isc-dhcp-server is running


if the service is running, or by

* isc-dhcp-server is not running

if it is not.

DHCP server configuration

The solutions provided are relevant to typical network organization schemes, but they may differ from the configuration required for your network!

Network settings

Network Interfaces

DHCP server should have interfaces in three subnets:

  • inner operator subnet — a subnet used for connection to operator's internal network. Administrators and operators connect to GUI EMS, and communication with SMS gateway and operator's services via NorthboundInterface is provided within the network. This subnet has a virtual interface (keepalived facility is used);
  • outer operator subnet — a subnet used for connection to access points and other network devices. It has strict security policies. This subnet has a virtual interface (keepalived facility is used);
  • outer subnet for receiving DHCP requests from Relay agents on operator's end equipment.


auto eth1.102 # Interface in outer operator's exchange network
iface eth1.102 inet static
address 192.168.114.8
netmask 255.255.255.192
network 192.168.114.0
vlan_raw_device eth1 
auto eth1.100 # Interface in inner operator network
iface eth1.100 inet static
address 172.17.209.9
netmask 255.255.255.192
network 172.17.209.0
vlan_raw_device eth1 
auto eth1.101 # Interface for assigning IP addresses to access points
iface eth1.101 inet static
address 10.203.5.7
netmask 255.255.255.192
network 10.203.5.0
vlan_raw_device eth1 

Routing

DHCP server should have access to three subnets:


10.203.32.0 — for assigning primary IP addresses to access points;
192.168.200.0 — for assigning management IP addresses to access points;
100.65.64.0 — for assigning IP addresses to client devices.


Example of route configuration in /etc/network/interfaces file.

up ip route add 100.65.64.0/22 via 192.168.114.10
up ip route add 192.168.200.0/22 via 192.168.114.10
up ip route add 10.203.32.0/19 via 10.203.5.1

ISC-DHCP-SERVER configuration

/etc/default/isc-dhcp-server

The file contains basic settings, in particular the list of network interfaces used:

INTERFACES="eth1.101 eth1.102" 


/etc/dhcp/dhcpd.conf

 DHCP server's address pool configuration.

Configuration example

default-lease-time 60;
max-lease-time 120;
log-facility local7;
class "ELTEX-DEVICES" {
match if (
(substring (option vendor-class-identifier, 0, 14) = "ELTEX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14) = "ELTEX_WOP-12AC") or
(substring (option vendor-class-identifier, 0, 14) = "ELTX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14) = "ELTX_WOP-12AC")
);
}
subnet 192.168.114.64 netmask 255.255.255.192 {}
subnet 10.203.5.64 netmask 255.255.255.192 {}
#first IP-subnet for assigning primary addresses to access points
subnet 10.203.32.0 netmask 255.255.254.0 {
pool {
option routers 10.203.32.2;
range 10.203.32.130 10.203.32.230;
failover peer "dhcp-failover";
option vendor-encapsulated-options 0B:0c:31:30:2E:32:30:33:2E:35:2E:31:31:32:0C:0C:31:30:2E:32:30:33:2E:35:2E:31:31:33;
allow members of "ELTEX-DEVICES";
}
}
#managed IP-subnet for assigning secondary addresses to access points
subnet 192.168.200.0 netmask 255.255.252.0 {
pool {
option routers 192.168.200.5;
range 192.168.200.120 192.168.200.164;
failover peer "dhcp-failover";
option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34;
allow members of "ELTEX-DEVICES";
}
}
#User IP-subnet for users (clients)
subnet 200.65.64.0 netmask 255.255.240.0 {
pool {
option routers 200.65.64.5;
range 200.65.64.200 200.65.64.250;
failover peer "dhcp-failover";
option domain-name-servers 172.16.0.1, 8.8.8.8;
}
} 


Configuring access points' static addresses

If predetermined IP addresses of access points (secondary addresses) should be used in management network, a list of static hosts can be configured. Take the following steps in order to avoid /etc/dhcp/dhcpd.conf overload:


1. Create a file that includes the list and may be located in any directory, for example  /var/lib/dhcp/touch /var/lib/dhcp/hosts.


2. Add entries to the file.


Entry format

host wep_01 { hardware ethernet a8:f9:4b:b0:00:00; fixed-address 192.168.1.1; } 


Where
host wep_01 — hostname.
hardware ethernet a8:f9:4b:b0:00:01 — MAC address of a device. Note that in order to get a secondary address, an access point uses MAC one greater than the MAC used for primary address getting.
fixed-address 192.168.200.133  — IP address of a device.


3. Add the following line to AP address pool:

include "/var/lib/dhcp/hosts"; 


4. For DHCP server to be able to read the file, set the owner using the command:

chown dhcpd:dhcpd /var/lib/dhcp/static/hosts 


5. Allow reading the file in AppArmor by adding the following line to /etc/apparmor.d/usr.sbin.dhcpd file (the line should end with a comma):

/var/lib/dhcp/hosts r


6. Restart services

service apparmor restart
service isc-dhcp-server restart 


Pool configuration example:

subnet 192.168.200.0 netmask 255.255.252.0 {
pool {
option routers 192.168.200.5;
range 192.168.200.120 192.168.200.164;
option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34;
include "/var/lib/dhcp/hosts";
}
} 

The lists should be created on both servers and kept updated. Restart servers after changing the lists' contents.


Option 82 usage

If option 82 is required, new classes should be created as follows:

class "NEW_class" {
match if (
(option agent.circuit-id = "E320-1-210:GigabitEthernet 1/0/2.25030007:2503-7")
and
(
(substring (option vendor-class-identifier, 0, 14) = "ELTEX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14) = "ELTEX_WOP-12AC") or
(substring (option vendor-class-identifier, 0, 14) = "ELTX_WEP-12AC") or
(substring (option vendor-class-identifier, 0, 14) = "ELTX_WOP-12AC")
)
);
}


The created class should be defined in a pool, for example:

subnet 192.168.200.0 netmask 255.255.252.0 {
pool {
option routers 192.168.200.5;
range 192.168.200.120 192.168.200.164;
option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34;
allow members of "NEW_class";
}
}


After that, addresses from the pool will be assigned only to devices of this class.

Option 43 usage

The option is used to transfer vendor-specific data to DHCP clients.
The following suboptions are used in SoftWLC:

Suboption

Description

10

EMS server address.

11

the address for management tunnel creation.

12

the address for data tunnel creation

13

the option for identifying carrier network area the access point belongs to


According to RFC2132, the format is as follows: 

   When encapsulated vendor-specific extensions are used, the
   information bytes 1-n have the following format:
 
    Code   Len   Data item        Code   Len   Data item       Code
   +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
   |  T1 |  n  |  d1 |  d2 | ... |  T2 |  n  |  D1 |  D2 | ... | ... |
   +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+

The option is transmitted in HEX format (hexadecimal notation). All data should be converted from ASCII to HEX.
All the values are separated by a colon ':', and the line ends with a semicolon ';'.
Option examples:

  • In the primary address pool, option 43 (suboptions 11 and 12) is specified as follows:
option vendor-encapsulated-options 0B:0B:31:30:2E:32:30:33:2E:35:2E:31:30:0C:0B:31:30:2E:32:30:33:2E:35:2E:31:31;


Decoding:
suboption 11, 11 symbols long, contains the address 10.203.5.10;
suboption 12, 11 symbols long, contains the address 10.203.5.11;

  • In the secondary address pool, option 43 (suboption 10) is specified as follows:
option vendor-encapsulated-options 0A:0D:31:39:32:2E:31:36:38:2E:31:31:34:2E:34;


Decoding:
suboption 10, 13 symbols long, contains the address 192.168.114.4;

  • Suboption 13 is specified as follows:
option vendor-encapsulated-options 0D:0A:65:6c:74:65:78:2e:72:6f:6f:74;


Decoding:
suboption 13, 10 symbols long, contains the domain: eltex.root

If several suboptions should be transferred in a pool, they should be written in the same line. E.g. for suboptions 10 and 13, it will look like this:

option vendor-encapsulated-options 0A:0D:31:39:32:2E:31:36:38:2E:31:31:34:2E:34:0D:0A:65:6c:74:65:78:2e:72:6f:6f:74;

dhcpd configuration file check

To check a configuration file for syntax errors without restarting DHCP server and applying a configuration, use dhcpd utility.
To run a check, launch dhcpd utility with -t modifier. If the configuration file is not located in the default directory, add -cf modifier

dhcpd -t -cf /path/to/dhcpd.conf

example:

root@vagrant-ubuntu-trusty-64-test1111:~# dhcpd -t -cf /etc/dhcp/dhcpd_test.conf 
Internet Systems Consortium DHCP Server 4.2.4
Copyright 2004-2012 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
/etc/dhcp/dhcpd_test.conf line 97: semicolon expected.
range 
^
/etc/dhcp/dhcpd_test.conf line 105: Pool declaration with no address range.
}
^
Pool declarations must always contain at least
one range statement.
Configuration file errors encountered – exiting

DHCP-failover configuration

Add a definition to /etc/dhcp/dhcpd.conf configuration file
On the first server:

failover peer "dhcp-failover" {
primary;
address 192.168.114.8;
port 647;
peer address 192.168.114.9;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
auto-partner-down 180;
mclt 1800;
split 128;
} 


On the second server:

failover peer "dhcp-failover" {
secondary;
address 192.168.114.9;
port 647;
peer address 192.168.114.8;
peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
auto-partner-down 60;
} 


Add the following line to reserved pools (192.168.200.0 subnet)

failover peer "dhcp-failover";


Server time synchronization is essential for DHCP-failover operation. If desynchronization occurs, failures are possible.

OMAPI configuration

To set monitoring and DHCP servers' status check, generate a key and specify it in DHCP server configuration file. At first, generate keys by adding -K modifier and by specifying destination directory

root@vagrant-ubuntu-trusty-64-test1111:~# dnssec-keygen -K /etc/dhcp/ -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key 
Komapi_key.+157+35749

Get the key

root@vagrant-ubuntu-trusty-64-test1111:~# cat /etc/dhcp/Komapi_key.+157+35749.key | awk '{print $7 $8}'
kvxcUNEtu0137tWK/uEKU/MSQxinN0lTifbLwaQd0SvvhtW+PpvlHqSbHJnNLIfo7KSA7KFWtjoEUqIIJXgxmg==

Specify the obtained key, encryption algorithm, interface and omapi_key name in DHCP server configuration file

key omapi_key {
        algorithm HMAC-MD5;
        secret "kvxcUNEtu0137tWK/uEKU/MSQxinN0lTifbLwaQd0SvvhtW+PpvlHqSbHJnNLIfo7KSA7KFWtjoEUqIIJXgxmg==";
              };

omapi-port 7911;
omapi-key omapi_key;

Restart isc-dhcp-server

service isc-dhcp-server  restart

The only thing left to do is to specify EMS OMAPI key name, OMAPI key and Failover peer name in access settings



  • Нет меток