Description
It is suggested to use ISC-DHCP-SERVER free solution as a DHCP server. The solution allows performing the following tasks in relation to Eltex.SoftWLC project:
- Assigning primary (external) IP addresses to access points with option 43 (suboptions 11 and 12) that makes it possible to create GRE tunnels to ESR.
- Assigning secondary (management, tunnel) IP addresses to access points with option 43 (suboptions 10 and 13) for AP management, detection and automatic initialization.
- Assigning IP addresses to Wi-Fi users connecting to access points.
- DHCP clients classification using option 82, option 60 and giAddrField.
Starting/stopping procedure
To stop the service, the following command is used:
service isc-dhcp-server stop
To start the service after stopping:
service isc-dhcp-server start
To check the service status, use the command:
service isc-dhcp-server status
This will be followed by a message:
* isc-dhcp-server is running
if the service is running, or by
* isc-dhcp-server is not running
if it is not.
DHCP server configuration
Network settings
Network Interfaces
DHCP server should have interfaces in three subnets:
- inner operator subnet — a subnet used for connection to operator's internal network. Administrators and operators connect to GUI EMS, and communication with SMS gateway and operator's services via NorthboundInterface is provided within the network. This subnet has a virtual interface (keepalived facility is used);
- outer operator subnet — a subnet used for connection to access points and other network devices. It has strict security policies. This subnet has a virtual interface (keepalived facility is used);
- outer subnet for receiving DHCP requests from Relay agents on operator's end equipment.
auto eth1.102 # Interface in outer operator's exchange network iface eth1.102 inet static address 192.168.114.8 netmask 255.255.255.192 network 192.168.114.0 vlan_raw_device eth1 auto eth1.100 # Interface in inner operator network iface eth1.100 inet static address 172.17.209.9 netmask 255.255.255.192 network 172.17.209.0 vlan_raw_device eth1 auto eth1.101 # Interface for assigning IP addresses to access points iface eth1.101 inet static address 10.203.5.7 netmask 255.255.255.192 network 10.203.5.0 vlan_raw_device eth1
Routing
DHCP server should have access to three subnets:
10.203.32.0 — for assigning primary IP addresses to access points;
192.168.200.0 — for assigning management IP addresses to access points;
100.65.64.0 — for assigning IP addresses to client devices.
Example of route configuration in /etc/network/interfaces file.
up ip route add 100.65.64.0/22 via 192.168.114.10 up ip route add 192.168.200.0/22 via 192.168.114.10 up ip route add 10.203.32.0/19 via 10.203.5.1
ISC-DHCP-SERVER configuration
/etc/default/isc-dhcp-server
The file contains basic settings, in particular the list of network interfaces used:
INTERFACES="eth1.101 eth1.102"
/etc/dhcp/dhcpd.conf
DHCP server's address pool configuration.
Configuration example
default-lease-time 60; max-lease-time 120; log-facility local7; class "ELTEX-DEVICES" { match if ( (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WEP-12AC") or (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WOP-12AC") or (substring (option vendor-class-identifier, 0, 14) = "ELTX_WEP-12AC") or (substring (option vendor-class-identifier, 0, 14) = "ELTX_WOP-12AC") ); } subnet 192.168.114.64 netmask 255.255.255.192 {} subnet 10.203.5.64 netmask 255.255.255.192 {} #first IP-subnet for assigning primary addresses to access points subnet 10.203.32.0 netmask 255.255.254.0 { pool { option routers 10.203.32.2; range 10.203.32.130 10.203.32.230; failover peer "dhcp-failover"; option vendor-encapsulated-options 0B:0c:31:30:2E:32:30:33:2E:35:2E:31:31:32:0C:0C:31:30:2E:32:30:33:2E:35:2E:31:31:33; allow members of "ELTEX-DEVICES"; } } #managed IP-subnet for assigning secondary addresses to access points subnet 192.168.200.0 netmask 255.255.252.0 { pool { option routers 192.168.200.5; range 192.168.200.120 192.168.200.164; failover peer "dhcp-failover"; option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34; allow members of "ELTEX-DEVICES"; } } #User IP-subnet for users (clients) subnet 200.65.64.0 netmask 255.255.240.0 { pool { option routers 200.65.64.5; range 200.65.64.200 200.65.64.250; failover peer "dhcp-failover"; option domain-name-servers 172.16.0.1, 8.8.8.8; } }
Configuring access points' static addresses
If predetermined IP addresses of access points (secondary addresses) should be used in management network, a list of static hosts can be configured. Take the following steps in order to avoid /etc/dhcp/dhcpd.conf overload:
1. Create a file that includes the list and may be located in any directory, for example /var/lib/dhcp/touch /var/lib/dhcp/hosts.
2. Add entries to the file.
Entry format
host wep_01 { hardware ethernet a8:f9:4b:b0:00:00; fixed-address 192.168.1.1; }
Where
host wep_01 — hostname.
hardware ethernet a8:f9:4b:b0:00:01 — MAC address of a device. Note that in order to get a secondary address, an access point uses MAC one greater than the MAC used for primary address getting.
fixed-address 192.168.200.133 — IP address of a device.
3. Add the following line to AP address pool:
include "/var/lib/dhcp/hosts";
4. For DHCP server to be able to read the file, set the owner using the command:
chown dhcpd:dhcpd /var/lib/dhcp/static/hosts
5. Allow reading the file in AppArmor by adding the following line to /etc/apparmor.d/usr.sbin.dhcpd file (the line should end with a comma):
/var/lib/dhcp/hosts r
6. Restart services
service apparmor restart service isc-dhcp-server restart
Pool configuration example:
subnet 192.168.200.0 netmask 255.255.252.0 { pool { option routers 192.168.200.5; range 192.168.200.120 192.168.200.164; option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34; include "/var/lib/dhcp/hosts"; } }
The lists should be created on both servers and kept updated. Restart servers after changing the lists' contents.
Option 82 usage
If option 82 is required, new classes should be created as follows:
class "NEW_class" { match if ( (option agent.circuit-id = "E320-1-210:GigabitEthernet 1/0/2.25030007:2503-7") and ( (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WEP-12AC") or (substring (option vendor-class-identifier, 0, 14) = "ELTEX_WOP-12AC") or (substring (option vendor-class-identifier, 0, 14) = "ELTX_WEP-12AC") or (substring (option vendor-class-identifier, 0, 14) = "ELTX_WOP-12AC") ) ); }
The created class should be defined in a pool, for example:
subnet 192.168.200.0 netmask 255.255.252.0 { pool { option routers 192.168.200.5; range 192.168.200.120 192.168.200.164; option vendor-encapsulated-options A:F:31:39:32:2E:31:36:38:2E:31:31:34:2E:31:30:34; allow members of "NEW_class"; } }
After that, addresses from the pool will be assigned only to devices of this class.
Option 43 usage
The option is used to transfer vendor-specific data to DHCP clients.
The following suboptions are used in SoftWLC:
Suboption | Description |
10 | EMS server address. |
11 | the address for management tunnel creation. |
12 | the address for data tunnel creation |
13 | the option for identifying carrier network area the access point belongs to |
According to RFC2132, the format is as follows:
When encapsulated vendor-specific extensions are used, the information bytes 1-n have the following format: Code Len Data item Code Len Data item Code +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+ | T1 | n | d1 | d2 | ... | T2 | n | D1 | D2 | ... | ... | +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
The option is transmitted in HEX format (hexadecimal notation). All data should be converted from ASCII to HEX.
All the values are separated by a colon ':', and the line ends with a semicolon ';'.
Option examples:
- In the primary address pool, option 43 (suboptions 11 and 12) is specified as follows:
option vendor-encapsulated-options 0B:0B:31:30:2E:32:30:33:2E:35:2E:31:30:0C:0B:31:30:2E:32:30:33:2E:35:2E:31:31;
Decoding:
suboption 11, 11 symbols long, contains the address 10.203.5.10;
suboption 12, 11 symbols long, contains the address 10.203.5.11;
- In the secondary address pool, option 43 (suboption 10) is specified as follows:
option vendor-encapsulated-options 0A:0D:31:39:32:2E:31:36:38:2E:31:31:34:2E:34;
Decoding:
suboption 10, 13 symbols long, contains the address 192.168.114.4;
- Suboption 13 is specified as follows:
option vendor-encapsulated-options 0D:0A:65:6c:74:65:78:2e:72:6f:6f:74;
Decoding:
suboption 13, 10 symbols long, contains the domain: eltex.root
If several suboptions should be transferred in a pool, they should be written in the same line. E.g. for suboptions 10 and 13, it will look like this:
option vendor-encapsulated-options 0A:0D:31:39:32:2E:31:36:38:2E:31:31:34:2E:34:0D:0A:65:6c:74:65:78:2e:72:6f:6f:74;
dhcpd configuration file check
To check a configuration file for syntax errors without restarting DHCP server and applying a configuration, use dhcpd utility.
To run a check, launch dhcpd utility with -t modifier. If the configuration file is not located in the default directory, add -cf modifier
dhcpd -t -cf /path/to/dhcpd.conf
example:
root@vagrant-ubuntu-trusty-64-test1111:~# dhcpd -t -cf /etc/dhcp/dhcpd_test.conf Internet Systems Consortium DHCP Server 4.2.4 Copyright 2004-2012 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcp/dhcpd_test.conf line 97: semicolon expected. range ^ /etc/dhcp/dhcpd_test.conf line 105: Pool declaration with no address range. } ^ Pool declarations must always contain at least one range statement. Configuration file errors encountered – exiting
DHCP-failover configuration
Add a definition to /etc/dhcp/dhcpd.conf configuration file
On the first server:
failover peer "dhcp-failover" { primary; address 192.168.114.8; port 647; peer address 192.168.114.9; peer port 647; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; auto-partner-down 180; mclt 1800; split 128; }
On the second server:
failover peer "dhcp-failover" { secondary; address 192.168.114.9; port 647; peer address 192.168.114.8; peer port 647; max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; auto-partner-down 60; }
Add the following line to reserved pools (192.168.200.0 subnet)
failover peer "dhcp-failover";
OMAPI configuration
To set monitoring and DHCP servers' status check, generate a key and specify it in DHCP server configuration file. At first, generate keys by adding -K modifier and by specifying destination directory
root@vagrant-ubuntu-trusty-64-test1111:~# dnssec-keygen -K /etc/dhcp/ -r /dev/urandom -a HMAC-MD5 -b 512 -n HOST omapi_key Komapi_key.+157+35749
Get the key
root@vagrant-ubuntu-trusty-64-test1111:~# cat /etc/dhcp/Komapi_key.+157+35749.key | awk '{print $7 $8}' kvxcUNEtu0137tWK/uEKU/MSQxinN0lTifbLwaQd0SvvhtW+PpvlHqSbHJnNLIfo7KSA7KFWtjoEUqIIJXgxmg==
Specify the obtained key, encryption algorithm, interface and omapi_key name in DHCP server configuration file
key omapi_key { algorithm HMAC-MD5; secret "kvxcUNEtu0137tWK/uEKU/MSQxinN0lTifbLwaQd0SvvhtW+PpvlHqSbHJnNLIfo7KSA7KFWtjoEUqIIJXgxmg=="; }; omapi-port 7911; omapi-key omapi_key;
Restart isc-dhcp-server
service isc-dhcp-server restart
The only thing left to do is to specify EMS OMAPI key name, OMAPI key and Failover peer name in access settings