Debian – DHCP Server with multiple network interfaces and different subnets

debiandhcpsubnetvmware-esxi

I am trying to set up a dhcp server (isc dhcpd on debian 8 (vm inside an esxi environment)) with 4 network interfaces, eth0-3. The dhcp server should serve a different subnet on the interfaces eth1, eth2, eth3. Each subnet has its own vSwitch (vSphere) and the dhcp server is connected to each vSwitch.

The network interface setup looks like this:

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.1

auto eth1
iface eth1 inet static
    address 10.0.0.1
    netmask 255.255.255.0
    network 10.0.0.0
    broadcast 10.0.0.255

auto eth2
iface eth2 inet static
    address 172.16.0.1
    netmask 255.255.255.0
    network 172.16.0.0
    broadcast 172.16.0.255

auto eth3
iface eth3 inet static
    address 10.0.1.1
    netmask 255.255.255.0
    network 10.0.1.0
    broadcast 10.0.1.255

The current dhcpd configuration looks like this:

# dhcpd.conf

default-lease-time 600;
max-lease-time 7200;

subnet 172.16.0.0 netmask 255.255.255.0 {
    range 172.16.0.2 172.16.0.100;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 172.16.0.1;
    option routers 172.16.0.1;
    option broadcast-address 172.16.0.255;
}

subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.2 10.0.0.100;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 10.0.0.1;
    option routers 10.0.0.1;
    option broadcast-address 10.0.0.255;
}

subnet 10.0.1.0 netmask 255.255.255.0 {
    range 10.0.1.2 10.0.1.100;
    option subnet-mask 255.255.255.0;
    option domain-name-servers 10.0.1.1;
    option routers 10.0.1.1;
    option broadcast-address 10.0.1.255;
}

And finally, the dhcpd init script looks like this:

# /etc/default/isc-dhcp-server

DHCPD_CONF=/etc/dhcp/dhcpd.conf
DHCPD_PID=/var/run/dhcpd.pid
INTERFACES="eth1 eth2 eth3"

So far so good.
However, what happens at the moment is that clients only get dhcp traffic via the eth1 interface. The other two network interfaces are ignored. Even when i remove eth1 from the isc-dhcp-server init script, it is still used and serves ip addresses:

isc-dhcp-server[1467]: Starting ISC DHCP server: dhcpd.
dhcpd: DHCPDISCOVER from 00:0a:26:37:6f:12 via eth1
dhcpd: DHCPOFFER on 10.0.0.2 to 00:0a:26:37:6f:12 (client0) via eth1
dhcpd: DHCPREQUEST for 10.0.0.2 (10.0.0.1) from 00:0a:26:37:6f:12 (client0) via eth1
dhcpd: DHCPACK on 10.0.0.2 to 00:0a:26:37:6f:12 (client0) via eth1

How can I make sure, that a certain network/subnet is only served using a specific network interface? How does the dhcp server know, which client belongs to which subnet? I know that I can specify hosts for a subnet using the hosts notation (hardware address, hostname, etc.). However, for me that defeats the purpose of dhcp, because I want to be able to assign ip addresses dynamically without having to touch the dhcp configuration whenever I add a new client to a subnet.

Best Answer

So here we go with a little explanation what happens. PLEASE note that I would strongly advise to run the configurations inside a testing environment to make sure, everything works as you want it to!

Edit: Please also note that your switches need to be properly configured. We are using CISCO switches. To generate an OMAPI Key, you can follow guide1 or guide2.

How to make isc-dhcp-server listen on mulitple subnets. This mini-guide will give you a basic configuration idea and some additional material to read to fully understand what's going on.

dhcpd.conf:

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
     secret your-secret-key;
}

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
# option domain-name-servers x.x.x.x,y.y.y.y;
option netbios-node-type 2;

default-lease-time 7200;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# Failover Configuration

failover peer "failover-partner" {
        primary;
        # this servers ip address
        address A.A.A.A;
        port 519;
        # dhcp failover ip address
        peer address B.B.B.B;
        peer port 520;
        max-response-delay 60;
        max-unacked-updates 10;
        mclt 3600;
        split 128;
        load balance max seconds 3;
}

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

# here we include specific configuration files for our different subnets.
# I'll provide an example for a configuration file, all other subnet configuration files
# are (in my scenario) written the same way.

include "/etc/dhcp/X.Y.1.Z.conf";
include "/etc/dhcp/X.Y.2.Z.conf";
include "/etc/dhcp/X.Y.3.Z.conf";

X.Y.1.Z.conf:

#____________________________________
# subnet information  X.Y.1.0/24
#____________________________________
subnet X.Y.1.0 netmask 255.255.255.0 {
        deny client-updates;
        deny unknown-clients;
        # gateway of this subnet  
        option routers X.Y.1.254;
        # DNS server(s)
        option domain-name-servers 123.123.123.1, 123.123.123.2;
        # search domain(s) for this subnet. Needs the "" to work!
        option domain-search "domain1", "domain2";
        # name of domain of this subnet (if exists, otherwise comment out)
        option domain-name "mydomain";
        # ntp server if you are running one
        option ntp-servers X.Y.Z.254;
        default-lease-time 86400;
        max-lease-time 86400;

        group {
            use-host-decl-names on;

            # Infodisplay
            host dns-name-1 {
            # mac address of client
                hardware ethernet 00:00:00:00:00:00;
            # ip address the above mac address will receive
                fixed-address 123.123.123.1;
            }
       }

Other configuration files for subnets are built equally. Be sure, if you run a DHCP VM inside ESXi, to make the VM available to all your networks / VLANs. The isc-dhcp-server then needs to listen on all networks it's expected to so it can handle differen subnets all within one running instance of isc-dhcp-server. If you want to omit downtime or a non working network, you can of course run a second VM with isc-dhcp-server in slave mode like this:

slave dhcpd.conf:

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
     secret your-secret-key;
}

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

# option definitions common to all supported networks...
# option domain-name-servers x.x.x.x,y.y.y.y;
option netbios-node-type 2;

default-lease-time 7200;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# Failover Configuration

failover peer "failover-partner" {
        primary;
        # this servers ip address
        address B.B.B.B;
        port 519;
        # dhcp master ip address
        peer address A.A.A.A;
        peer port 520;
        max-response-delay 60;
        max-unacked-updates 10;
        mclt 3600;
        split 128;
        load balance max seconds 3;
}

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

# here we include specific configuration files for our different subnets.
# I'll provide an example for a configuration file, all other subnet configuration files
# are (in my scenario) written the same way.

include "/etc/dhcp/X.Y.1.Z.conf";
include "/etc/dhcp/X.Y.2.Z.conf";
include "/etc/dhcp/X.Y.3.Z.conf";

Make sure the secret keys are the same on both machines, otherwise client and server are not able to communicate or to even do a failover switch if server fails and slave is expected to take over the dhcp-functionality.


If you have the hardware/setup options, please setup all this in an experimental environment.

PLEASE DO NOT INSTANTLY RUN THIS IN A PRODUCTION ENVIRONMENT.

You can stop making your network clients work within seconds and that's what your boss will not like.

Related Topic