Dhcp with known and unknown hosts

From Exterior Memory
Jump to: navigation, search

The ISC DHCP server is fairly flexible, and can return static IP addresses for known hosts, while returning other IP addresses for unknown hosts.

Man page example

The dhcpd.conf man page gives the following example to distinguish between known and unknown hosts:

subnet 192.0.2.0 netmask 255.255.255.0 {
  option routers 192.0.2.1;

  # Unknown clients get this pool.
  pool {
    option domain-name-servers bogus.example.com;
    max-lease-time 300;
    range 192.0.2.200 192.0.2.253;
    allow unknown-clients;
  }

  # Known clients get this pool.
  pool {
    option domain-name-servers ns1.example.com, ns2.example.com;
    max-lease-time 28800;
    range 192.0.2.5 192.0.2.199;
    deny unknown-clients;
  }
}

host myhost1 { hardware ethernet 01:23:45:00:00:01; }
host myhost2 { hardware ethernet 01:23:45:00:00:02; }
host myhost3 { hardware ethernet 01:23:45:00:00:03; }

In this case, known host get an IP address in the range 192.0.2.5-192.0.2.199, but which IP is unspecified.

To specify a specific IP address for each host, it should be specified in the host declaration:

host myhost1 { hardware ethernet 01:23:45:00:00:01; fixed-address 192.0.2.5; }
host myhost2 { hardware ethernet 01:23:45:00:00:02; fixed-address 192.0.2.6; }
host myhost3 { hardware ethernet 01:23:45:00:00:03; fixed-address 192.0.2.7; }

Unfortunately, there are two problems with the resulting configuration:

  • pool definitions are not supported for IPv6
  • You may see an error like this:
Dynamic and static leases present for 192.0.2.5.
Remove host declaration myhost or remove 192.0.2.5
from the dynamic address pool for 192.0.2.0/24

The cause for the later error is that dhcpd gets confused if it would encounter a known host without fixed address, like so:

host myhost1 { hardware ethernet 01:23:45:00:00:01; fixed-address 192.0.2.5; }
host myhost2 { hardware ethernet 01:23:45:00:00:02; fixed-address 192.0.2.6; }
host myhost3 { hardware ethernet 01:23:45:00:00:03; }

In this case, it should assign an IP address from the range 192.0.2.5-192.0.2.199, but that might conflict with the other hosts if it picks 192.0.2.5 or 192.0.2.6. The warning tells you about this potential conflict and suggests you to avoid it by changing the configuration file. If you use fixed-addresses for all known hosts, you can safely ignore this warning. If you like to get rid of the warning, I suggest to use the syntax in the following example.

IPv4 Example

Here is an example file that distinguishes between known and unknown clients, but does not use pools.

# Unknown clients uses the 192.0.2.200-192.0.2.253 range.
subnet 192.0.2.0 netmask 255.255.255.0 {
  option routers 192.0.2.1;
  option domain-name-servers bogus.example.com;
  max-lease-time 300;
  range 192.0.2.200 192.0.2.253;
  allow unknown-clients;
}

# Known clients uses specific IP addresses in the 192.0.2.5-192.0.2.199
group {
  option routers 192.0.2.1;
  option domain-name-servers ns1.example.com, ns2.example.com;
  max-lease-time 28800;
  host myhost1 { hardware ethernet 01:23:45:00:00:01; fixed-address 192.0.2.5; }
  host myhost2 { hardware ethernet 01:23:45:00:00:02; fixed-address 192.0.2.6; }
  host myhost3 { hardware ethernet 01:23:45:00:00:03; fixed-address 192.0.2.7; }
}

IPv6 Example

It should be possible to use the same example with IPv6. e.g.:

# Unknown clients uses the 2001:0db8:2a:1::/112 range.
subnet6 2001:0db8:2a:1::/64 {
  option dhcp6.name-servers bogus.example.com;
  max-lease-time 604800;
  range 2001:0db8:2a:1::100 2001:0db8:2a:1::ffff;
  allow unknown-clients;
}

# Known clients uses specific IP addresses in the 2001:0db8:2a:1::/64 range
group {
  option dhcp6.name-servers ns1.example.com, ns2.example.com;
  max-lease-time 2592000;
  host myhost1 { 
    host-identifier option dhcp6.client-id 00:01:00:01:4a:1f:ba:e3:60:b9:1f:01:23:45;
    fixed-address6 2001:0db8:2a:1::5; 
  }
}

Note that:

  • DHCPv6 does not advertise the gateway, so neighbour discovery is required for router advertisements (RA).
  • Not all hosts support DHCPv6, SLAAC (stateless address auto configuration) is supported by nearly all clients, and is therefor recommended (and you need neighbour discovery anyway to advertise routers)
  • The DHCPv6 does not filter on MAC address, but on DHCP Unique identifier or Client ID. This ID is supposed to remain static, even if the network interface is removed for a device (it is generated once, typically based on a timestamp and a MAC address of any interface). It may be less chorus to statically configure IPv6 address than to keep track of these DHCP identifiers.
  • Most clients configure multiple IPv6 addresses, including link-local and temporary (private) IPV6 addresses, so you probably need some other method to keep track which device uses which IP for auditing. (Likely the neighbour discovery table, similar to the ARP table for IPV4 is good starting point. An other option is to use 802.1x authentication).

Given these issues, I recommend to use neighbour discovery in general and SLAAC in particular to both configure and keep track of IPv6 addresses on clients.