[Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Jeff Kletsky
I've been able to get kea to run nicely as a DHCP server in
"conventional" mode with an interface listening on every one of the
VLANs that I need to serve.

I'm trying to configure it now so that it only responds to relayed DHCP
through my Cisco SG300-series switches.

     "dhcp-socket-type": "udp"

is already set.


I've been able to decode the Cisco format and it appears to properly
assign the client-class based on the VLAN:

kea.conf:

         "client-classes": [
         <?include "/usr/local/etc/kea/client_classes.conf"?>
         ],

client_classes.conf includes:

     {
         "name": "VLAN_1010",
         "test": "substring(relay4[1].hex, 2, 2) == 0x03F2"
     }


Thanks to the debugging instructions in 13.9 (very helpful!), I was able
to fix my first shot and "test" the above expressions. They match as
expected, with that match being logged in the kea-dhcp4 log:

     EVAL_RESULT Expression VLAN_1010 evaluated to 1


In my application, the DHCP server and switches are "talking" on
addresses in the 10.2.87.0/24 range, but the pool is in the
10.10.10.0/24 range.


Setting the subnet parameter to correspond to the pool results in
"failed to select a subnet for incoming packet"

The subnet parameter is mandatory, so I can't just use the client-class
to select the pool

If I set it to 10.2.87.0/24 then kea won't start, complaining that the
pool does not match the prefix of the subnet

So far, only the rather ugly solution of setting the subnet to one that
overlaps both the interface's address and the pool is all I've found to
be functional

     {
         "subnet": "10.0.0.0/8",
         "pools": [ { "pool": "10.10.10.200 - 10.10.10.219" } ],
         "client-class": "VLAN_1010",

     [...]

(similarly <?include "ed"?> in the subnet4 section)


The kea instance will *only* be answering relayed DHCP, never direct
connections.


Is there a better way to configure this?


TIA,

Jeff







_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Francis Dupont
A client-class in a subnet may be used only to refuse a subnet selection.
 In your case your config requires a positive selector, for instance
a relay address (relayed messages) or an interface (direct connected
clients).

Regards

Francis Dupont <[hidden email]>

PS: there is a third possibility for unicasted messages where the subnet
specification matches the client address, cf "How the DHCPv4 Server Selects
a Subnet for the Client" in the manual.
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Bob Harold
In reply to this post by Jeff Kletsky

On Tue, Sep 12, 2017 at 9:33 PM, Jeff Kletsky <[hidden email]> wrote:
I've been able to get kea to run nicely as a DHCP server in "conventional" mode with an interface listening on every one of the VLANs that I need to serve.

I'm trying to configure it now so that it only responds to relayed DHCP through my Cisco SG300-series switches.

    "dhcp-socket-type": "udp"

is already set.


I've been able to decode the Cisco format and it appears to properly assign the client-class based on the VLAN:

kea.conf:

        "client-classes": [
        <?include "/usr/local/etc/kea/client_classes.conf"?>
        ],

client_classes.conf includes:

    {
        "name": "VLAN_1010",
        "test": "substring(relay4[1].hex, 2, 2) == 0x03F2"
    }


Thanks to the debugging instructions in 13.9 (very helpful!), I was able to fix my first shot and "test" the above expressions. They match as expected, with that match being logged in the kea-dhcp4 log:

    EVAL_RESULT Expression VLAN_1010 evaluated to 1


In my application, the DHCP server and switches are "talking" on addresses in the 10.2.87.0/24 range, but the pool is in the 10.10.10.0/24 range.


Setting the subnet parameter to correspond to the pool results in "failed to select a subnet for incoming packet"

The subnet parameter is mandatory, so I can't just use the client-class to select the pool

If I set it to 10.2.87.0/24 then kea won't start, complaining that the pool does not match the prefix of the subnet

I have not (yet) used kea, so I am just guessing based on experience with dhcpd.
But this message sounds like you need an empty subnet declared for the actual interface of the kea server, even if it is not serving DHCP on that subnet, So try adding: (where a.b.c.d/e is the subnet the kea server is on)

    {
        "subnet": "a.b.c.d/e"
    }
 
In addition to the 10.2.87.0/24 subnet.

In the older dhcpd server, this is an unfortunate result of the assumption that the DHCP is serving DHCP on the subnet it is connected to.  I would have hoped that kea would have fixed that.  (Or can someone explain why it is needed?)

-- 
Bob Harold

So far, only the rather ugly solution of setting the subnet to one that overlaps both the interface's address and the pool is all I've found to be functional

    {
        "subnet": "10.0.0.0/8",
        "pools": [ { "pool": "10.10.10.200 - 10.10.10.219" } ],
        "client-class": "VLAN_1010",

    [...]

(similarly <?include "ed"?> in the subnet4 section)


The kea instance will *only* be answering relayed DHCP, never direct connections.


Is there a better way to configure this?


TIA,

Jeff


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Francis Dupont
> In the older dhcpd server, this is an unfortunate result of the assumption
> that the DHCP is serving DHCP on the subnet it is connected to.  I would
> have hoped that kea would have fixed that.  (Or can someone explain why it
> is needed?)

=> it is a bit worse: ISC DHCP has a loose notion of servicing interfaces
when Kea has a strong one. There is another difference about interfaces
than the one you described: in ISC DHCP the list of interfaces to
serve is in command line arguments, in Kea it is in the config file.
As a result when you translate ISC DHCP configs using the tool in
general you get this warning at the top of the generated kea config file:
  /// This configuration declares some subnets but has no interfaces-config
  /// Reference Kea #5256
Even it is legal to have no interfaces-config clause in Kea it won't work
and without any interface in ISC DHCP config the tool can't infer the
interface list...

Regards

Francis Dupont <[hidden email]>

PS: in Jeff's case it is better to select subnets using relay addresses
than using the receiving interface because a priori relays serve
different physical subnets so should not share the same pool.
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Jason Lixfeld

> On Sep 13, 2017, at 8:47 AM, Francis Dupont <[hidden email]> wrote:
>
> As a result when you translate ISC DHCP configs using the tool

There a translation tool to migrate ISC DHCP configs to Kea?
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Francis Dupont
Jason Lixfeld writes:
> There a translation tool to migrate ISC DHCP configs to Kea?

=> we are working on one but I don't know how it will be made available
(e.g. assisted web-based service?).

Regards

Francis Dupont <[hidden email]>
_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Jeff Kletsky
In reply to this post by Francis Dupont
Thanks for the confirmation that "relay" is the intended way to approach
this.

I don't seem to be able configure more than one relay *address* per
subnet though.  The ip-address string only seems to accept a single
address, not a CIDR- or dashed-range. If I try repeated relay
statements, I end up with "failed to select a subnet for incoming
packet" for all of the relays.

Is there a way to accept multiple relays for a given subnet declaration?


The notion of "positive" and "negative" selectors could use some
clarification in the documentation. Without being immersed in the code,
human-language versions of the clauses seem about the same:

* Client must arrive on an interface with an address in the subnet
* Client must belong to the given client-class


Thanks,

Jeff



On 9/13/17 12:52 AM, Francis Dupont wrote:
> A client-class in a subnet may be used only to refuse a subnet
> selection. In your case your config requires a positive selector, for
> instance a relay address (relayed messages) or an interface (direct
> connected clients). Regards Francis Dupont <[hidden email]> PS: there
> is a third possibility for unicasted messages where the subnet
> specification matches the client address, cf "How the DHCPv4 Server
> Selects a Subnet for the Client" in the manual.

_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

itay cohen
In reply to this post by Jeff Kletsky
are you using "ip helper" to relay the dhcp requests ?


On Wed, Sep 13, 2017 at 4:33 AM, Jeff Kletsky <[hidden email]> wrote:
I've been able to get kea to run nicely as a DHCP server in "conventional" mode with an interface listening on every one of the VLANs that I need to serve.

I'm trying to configure it now so that it only responds to relayed DHCP through my Cisco SG300-series switches.

    "dhcp-socket-type": "udp"

is already set.


I've been able to decode the Cisco format and it appears to properly assign the client-class based on the VLAN:

kea.conf:

        "client-classes": [
        <?include "/usr/local/etc/kea/client_classes.conf"?>
        ],

client_classes.conf includes:

    {
        "name": "VLAN_1010",
        "test": "substring(relay4[1].hex, 2, 2) == 0x03F2"
    }


Thanks to the debugging instructions in 13.9 (very helpful!), I was able to fix my first shot and "test" the above expressions. They match as expected, with that match being logged in the kea-dhcp4 log:

    EVAL_RESULT Expression VLAN_1010 evaluated to 1


In my application, the DHCP server and switches are "talking" on addresses in the 10.2.87.0/24 range, but the pool is in the 10.10.10.0/24 range.


Setting the subnet parameter to correspond to the pool results in "failed to select a subnet for incoming packet"

The subnet parameter is mandatory, so I can't just use the client-class to select the pool

If I set it to 10.2.87.0/24 then kea won't start, complaining that the pool does not match the prefix of the subnet

So far, only the rather ugly solution of setting the subnet to one that overlaps both the interface's address and the pool is all I've found to be functional

    {
        "subnet": "10.0.0.0/8",
        "pools": [ { "pool": "10.10.10.200 - 10.10.10.219" } ],
        "client-class": "VLAN_1010",

    [...]

(similarly <?include "ed"?> in the subnet4 section)


The kea instance will *only* be answering relayed DHCP, never direct connections.


Is there a better way to configure this?


TIA,

Jeff







_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users


_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

vicky risk
Administrator
In reply to this post by Jason Lixfeld

There a translation tool to migrate ISC DHCP configs to Kea?
_______________________________________________

Jason-

Francis has done some work to create a version of ISC DHCP that can parse an ISC DHCP configuration and save it as an equivalent Kea configuration. This is a moving target obviously, as we keep finding and plugging holes in the migration, differences between the products. 

Our current plan is to post it on a web page, so people can upload their configurations and get a translated version back - part of the idea is that this way, we would be able to find out what ISC DHCP features are missing or untranslatable to Kea.  However, we don’t have anyone who has the time to create this web service until after we get Kea 1.3 ready for release. Also - we think many current ISC DHCP configurations will require support for shared subnets, which is included in Kea 1.3, hence planning to launch this once we have 1.3.

If anyone on the list has suggestions for a better way to do this, I am interested!

Regards,

Vicky Risk
Product Manager





_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users
Reply | Threaded
Open this post in threaded view
|

Re: [Kea-users] Configuring kea for relayed subnets *not* on its own interface's address

Jeff Kletsky
In reply to this post by itay cohen
On 9/13/17 8:47 AM, itay cohen wrote:
are you using "ip helper" to relay the dhcp requests ?


On Wed, Sep 13, 2017 at 4:33 AM, Jeff Kletsky wrote:
I've been able to get kea to run nicely as a DHCP server in "conventional" mode with an interface listening on every one of the VLANs that I need to serve.

I'm trying to configure it now so that it only responds to relayed DHCP through my Cisco SG300-series switches.

    "dhcp-socket-type": "udp"

is already set.
[...]

The Cisco SG300-series devices have a built-in DHCP relay that attaches the Option 82 information, encoding the VLAN and device port on which the request was made.
Each VLAN that needs DHCP service can then enabled in the "interface vlan NNNN" configuration. 
Using the "ip-helper" functionality, at least as I understand it, would lose the VLAN/attach-port information that is required to determine the proper subnet/pool/address for clients attached to the switch.

I'm intentionally *not* using broadcast to the DHCP server so that I can prevent opening any raw/promiscuous socket on a device that is potentially exposed to "unfriendly" devices (for example, WiFi connections and IoT devices).  Yes, I agree that the switch itself is subject to unfriendly traffic, but I consider it less vulnerable than a full-on `nix platform, assuming the SG300's firmware is kept up to date and that access to its management interfaces is appropriately limited.

As the dedicated management VLAN is distinct from the dedicated DHCP VLAN and there are multiple subnets involved for multiple, routing-isolated VLANs, each SG300 needs to be in L3 mode ("set system mode router") so that more than one IP address can be configured for the SG300. This mode potentially allows cross-VLAN traffic unless explicitly blocked with a series of "ip route <subnet> reject-route" statements.

The kea "relay" statement within a "subnet" block allows for one of the multiple relays to have that subnet checked for the matching VLAN-specific client class. As mentioned in an earlier message in this thread, that statement appears to only support a single IP address and cannot be repeated within a subnet to allow consideration by more than one relay.  This is a limitation as there are multiple SG300 units and attach-port information would be lost if all VLANs were trunked to a single relay.

It is possible in the SG300 to define the target DHCP server(s) by VLAN, at least through the CLI.  While it would mean maintaining an address alias on the interface of the box running kea for each VLAN served, this might be the path I take. 


Jeff

   



_______________________________________________
Kea-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/kea-users