DHCP Options

Last week we upgraded our Call Manager and I had to mess around with DHCP to get some phones working correctly. I’ve been meaning to write an entry about our DHCP server configuration so I figured I would take some time to document what we do at the Circus.

We use ISC BIND and DHCP, let me explain our setup. We have two DNS/DHCP servers. The DNS servers are in master/slave and the DHCP servers are failover peers in primary/secondary. However, every time I update the DHCP configuration I didn’t want to have to think too hard about updating the the peer. So I set up the configuration files for DHCP so that I would only have to copy one file with all of the changes from one DHCP server to the other.

The configuration that is different for each server resides in /etc/dhcpd.conf and all other configuration that is shared resides in /etc/dhcpd/dhcpd.master.conf. When I make a change like adding a subnet to DHCP I only have to copy /etc/dhcpd/dhcpd.master.conf from one sever to the other and my configuration stays in sync.

The only difference between the two /etc/dhcpd.conf configuration files is the IP address of the peer and primary versus secondary.

# /etc/dhcpd.conf

# Everything that is only in the master is in this file.

# It's own ip address
subnet 192.168.1.254 netmask 255.255.255.255 {
}

failover peer "dhcp-failover" {
        primary; # declare this to be the primary server
        address 192.168.1.254;
        port 520;
        peer address 192.168.1.253;
        peer port 520;
        max-response-delay 30;
        max-unacked-updates 10;
        load balance max seconds 3;
        mclt 1800;
        split 128;
}

# All the common stuff is here.  Just copy the file below
# over to the slave when you make changes.
include "/etc/dhcpd/dhcpd.master.conf";

The master file is common to both DHCP servers. Whenever you make a change to one, just copy it over to the other DHCP server and they will always be in sync.

# /etc/dhcpd/dhcpd.master.conf
# This dhcpd server is the _real_ deal.
authoritative;

# Update using DDNS
# Tells the client where to send the forward update.
ddns-domainname "dynamic.circus.org";
ddns-update-style interim;
ddns-updates on;

# Leases
default-lease-time 345600;  # 4 days
max-lease-time 604800;  # 7 days

# Make sure we don't double up addresses by someone picking their own.
ping-check true;

# Where to look for DNS.
option domain-name-servers 192.168.1.254, 192.168.1.253;

# Windows
option netbios-name-servers 192.168.1.252;

# Netware
option slp-directory-agent true 192.168.1.251;

# What is my suffix.
option domain-name "dynamic.circus.org";

# DO NOT CHANGE THIS. This enables remote logging.
# Logging is for another post.
log-facility local3;

# The key for updating
key circus.key {
        algorithm hmac-md5;
        secret "SuperSecret";
};

# Don't let the clients screw up DDNS, let the server update.
ignore client-updates;

# Spectralink documentation says option 66 but we had to set option 150 
# in order to get them to load code from tftp.
# These options are from Spectralink:
#Option      Purpose
#   1        Subnet Mask
#   3        Default Gateway
#   6        DNS Server
#   7        Syslog Server
#  15        Domain Name
#  42        NTP (Network Time Protocol)
#  66        TFTP Server
# 151        SVP Server
# 152        OAI Gateway

option phone-tftp-server code 66 = ip-address;
option cm-tftp-server code 150 = array of ip-address;
option spectralink-svp code 151 = array of ip-address;
option spectralink-oai code 152 = ip-address;

# Notice that these configuration options are scoped.
class "spectralink" {
        match if substring (option vendor-class-identifier, 0, 11) = 
        "SpectraLink";

        option phone-tftp-server 192.168.100.240;
        option cm-tftp-server 192.168.100.240, 192.168.100.241;
        option spectralink-svp 192.168.16.11, 192.168.16.12;
        option spectralink-oai 192.168.16.13;
}

# Cisco IP phones
# These options are handed only to Cisco phones and are separate from the 
# Spectralink phones above.  
class "cisco-voip" {
        match if substring (option vendor-class-identifier, 0, 28) = 
        "Cisco Systems, Inc. IP Phone";

        option phone-tftp-server 192.168.101.240;
        option cm-tftp-server 192.168.101.240, 192.168.101.241;
}

# Cisco LWAPs look for option 43 to find the WLC, it is an array of ip addresses. 
option cisco-wlc code 43 = array of ip-address;
option cisco-wlc 192.168.10.4, 172.22.10.6, 192.168.10.8;

# To allow PXE boot.
allow booting;
allow bootp;
class "pxeclients" {
       match if substring(option vendor-class-identifier, 0, 9) = 
       "PXEClient";
       next-server 192.168.1.250;
       filename "linux-install/rhel-5-es/initrd.img";
}

# Begin subnet definitions

# Spectralink wireless phones
        subnet 192.168.16.0 netmask 255.255.254.0 {
                option subnet-mask 255.255.254.0;
                option broadcast-address 192.168.17.255;
                option routers 192.168.16.1;
                pool {
                        failover peer "dhcp-failover";
                        deny dynamic bootp clients;
                        range 192.168.16.20 192.168.17.250;
                }
        }

# Big Campus other side of town, this is a shared-network declaration.
shared-network bigcampus {
       subnet 192.168.107.0 netmask 255.255.255.0 {
                option subnet-mask 255.255.255.0;
                option broadcast-address 192.168.107.255;
                option routers 192.168.107.1;
                pool {
                        failover peer "dhcp-failover";
                        deny dynamic bootp clients;
                        range 192.168.107.10 192.168.107.200;
                }
        }
        subnet 10.1.1.0 netmask 255.255.255.0 {
                option subnet-mask 255.255.255.0;
                option broadcast-address 10.1.1.255;
                option routers 10.1.1.1;
                pool {
                        failover peer "dhcp-failover";
                        deny dynamic bootp clients;
                        range 10.1.1.10 10.1.1.200;
                        host guest-conference-room {
                                hardware ethernet 55:19:cc:d7:fe:d7;
                                fixed-address 10.1.1.220;
                        }
                }
        }
}

If you have gotten this far then you are definitely interested in DNS/DHCP. Let me plug the training that ISC provides as the best training course I have ever attended. The labs are not trivial as they are in some Cisco classes and the lecturers were awesome. The trainers were two individuals who run two different root servers on the net. They knew DNS/DHCP inside and out.

Each day we had lunch with some great resources, like Paul Vixie one day, the developers for BIND another, the DHCP developers the third day and the support staff the fourth. Each had their own spin on any question you asked and I left knowing a great deal about how I wanted to reconfigure our DNS/DHCP infrastructure.

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s