Network on DHCP Option82 - it's just
This article will focus on building a network using a user connection technology known as IPoE using dynamic DHCP address allocation using option 82.
So our task is to build a network in which the user needs a minimum of actions for authorization and networking. You can even call it like: "plugged the cable into the computer, and it worked."
As a billing system, we will use a free (up to 200 subscribers) certified ACP Felix2. As the DHCP server, we will use the ISC DHCP server.
')
When the user turns on the computer, the operating system sends a DHCP request for an IP address to the network. The switch has DHCP redirection requests (DHCP Relay) enabled and support for option 82 of the DHCP protocol is enabled, so it intercepts the DHCP request from the user, adds Option82 data (Agent Circuit ID and Agent Remote ID) to the DHCP packet and redirects the request to the DHCP server.
When a DHCP request arrives at a DHCP server, it issues an IP address based on current configuration data. The configuration sets the correspondence between the IP address given to the user, the IP address and the port of the switch to which the user is connected. The DHCP server configuration is configured by ASR Felix2 according to the information in the database.
ACP Felix2 periodically collects from the DHCP server data on the MAC addresses of users (who were given IP addresses) on the switch ports. By the IP address and port number of the switch, the system finds the user in the database and notes that the MAC address belongs to this user.
Also, ACP Felix2 periodically retrieves the ARP table from the router (IP-MAC correspondence table) and, if the IP-MAC pair matches the user in the database, this user is considered authorized. As soon as the IP-MAC pair disappears (the user turns off the computer), the system transfers the user to the list of unauthorized (having performed before this check that the subscriber's equipment is really turned off).
First we need a computer with two network cards and any switch that supports DHCP Relay (option 82). We will build the first (test) network according to the following scheme:
In this scheme, the system on the ACP Felix2 will additionally perform the function of a router.
Download ( felix2.ru/download ) and install it using any of the methods described above on the Felix2 ASR server.
In this article we will use the "Installation Disk ACP Felix2". Detailed instructions for installing ASR Felix2 are here: felix2.ru/documentation
After installation, we log in using the root username and password specified during installation.
After installation, the eth0 network interface is configured to work with the internal network:
The eth1 interface needs to be configured to work with a higher ISP:
Here 1.1.1.2 is the IP address given to us by the upstream Internet service provider, 1.1.1.1 is the IP address of the provider's gateway.
To ensure that the network configuration does not reset after a reboot, it must be described in the / etc / network / interfaces file
Install the ISC-DHCP server:
Immediately after installing the DHCP server will not start, so it is not yet configured:
The ISC DHCP server configuration template file (dhcp_opt82_ip-port.conf) and all other necessary configuration files can be downloaded from here:
ftp://download.felix2.ru/config.examples/felix2_dhcp_opt82.tar.gz
Download, unpack, replace configuration files:
Restart ASR Felix2:
Log in to the web admin interface. You can use a test machine for this by temporarily putting a static IP address on it (for example, 10.1.1.10/24). The web-based admin interface is available on port 444 over HTTPS. Default login / password: su / su.
In order for additional fields to appear in the interface, we indicate in the interface settings (Configuration -> Interface settings) that the DHCP-Opt82 address issuance scheme is used:
Now we will add our switch to the equipment base (Equipment -> New equipment):
Status: Established, IP address: 10.1.1.253, Model: DES-3200-28, and click "Add."
Create a new user (Users -> New User). We select the connection address. The system will automatically suggest the subnet used in this house and select the first free IP address.
Select the equipment to which the user will be connected. The system will offer to choose equipment from the list of equipment installed in this house.
Specify that the user will be connected to the first port of the switch. Mark the flag "Connection completed" and click "Add."
After that, we will replenish the account (Account replenishment -> New replenishment), activate the tariff plan (Payments -> Payment at the rate). View the current status of the user can be in (Users -> Personal statistics).
Check that the server's DHCP configuration file is updated:
Check that the DHCP server works:
Now you need to configure the switch. If the switch is out of the box, the instruction must specify the default IP address. If the equipment is “used” and you do not know what its IP address / login / password is, you need to reset the configuration via the console connection.
In this article we will use the switch out of the box DES-3200-28.
Put a static IP address on a test machine (for example, 10.90.90.1/8) Connect to the switch via telnet protocol:
Turn on, configure DHCP Relay:
Now the switch will intercept DHCP requests, add authentication information (option 82) and send to a DHCP server (10.1.1.1)
Set the default route and new switch IP address:
After the last command (change IP-address), the connection will be terminated. We put a static IP address on the test machine (for example, 10.1.1.10/24). We connect to the switchboard at a new address, save the configuration:
We enable on the test computer receiving network settings via DHCP.
We connect the test computer to the first port of the switch. We check that DHCP-Relay packets from the switch reach the server and the client receives an IP address:
We check that user data is displayed correctly in the Felix2 ASR interface.
The network scheme considered above was a test one (you cannot connect many users to one switch). Below is an example of a real network diagram (no more than ~ 600 subscribers). Uplink from the trunk provider comes to the optical port of the switch. This port needs to be combined in a VLAN with the port where the eth1 network interface card is connected from the server with Felix2 ACP.
For example, combine 1 and 24 port in 1000y VLAN:
As the network grows, it is also advisable to spread the houses across separate VLANs.
With the growth of intranet (local) traffic, the connection between the switch and the server with the Felix2 ASR, which simultaneously performs the role of a router, will become a bottleneck. To avoid this, you need to install a dedicated router.
You also need to tell ASR Felix2 to get the ARP table from the external router. Edit the /etc/felix2/felix2.xml file:
The arp_fetcher module can receive the ARP address table from CISCO equipment (interface = "CISCO"), D-Link (interface = "DLINK"), or from a Linux-based software router (interface = "Linux").
At the request of habrazhiteli, an example of a system-generated configuration file for an ISC DHCP server has been added.
In this example, users connected to ports 1-3 of the switch with the address 10.1.1.253 are given addresses 10.1.1.2-10.1.1.4, respectively.
So our task is to build a network in which the user needs a minimum of actions for authorization and networking. You can even call it like: "plugged the cable into the computer, and it worked."
As a billing system, we will use a free (up to 200 subscribers) certified ACP Felix2. As the DHCP server, we will use the ISC DHCP server.
')
General scheme of work
When the user turns on the computer, the operating system sends a DHCP request for an IP address to the network. The switch has DHCP redirection requests (DHCP Relay) enabled and support for option 82 of the DHCP protocol is enabled, so it intercepts the DHCP request from the user, adds Option82 data (Agent Circuit ID and Agent Remote ID) to the DHCP packet and redirects the request to the DHCP server.
When a DHCP request arrives at a DHCP server, it issues an IP address based on current configuration data. The configuration sets the correspondence between the IP address given to the user, the IP address and the port of the switch to which the user is connected. The DHCP server configuration is configured by ASR Felix2 according to the information in the database.
ACP Felix2 periodically collects from the DHCP server data on the MAC addresses of users (who were given IP addresses) on the switch ports. By the IP address and port number of the switch, the system finds the user in the database and notes that the MAC address belongs to this user.
Also, ACP Felix2 periodically retrieves the ARP table from the router (IP-MAC correspondence table) and, if the IP-MAC pair matches the user in the database, this user is considered authorized. As soon as the IP-MAC pair disappears (the user turns off the computer), the system transfers the user to the list of unauthorized (having performed before this check that the subscriber's equipment is really turned off).
Practical implementation
First we need a computer with two network cards and any switch that supports DHCP Relay (option 82). We will build the first (test) network according to the following scheme:
In this scheme, the system on the ACP Felix2 will additionally perform the function of a router.
Installation
Download ( felix2.ru/download ) and install it using any of the methods described above on the Felix2 ASR server.
In this article we will use the "Installation Disk ACP Felix2". Detailed instructions for installing ASR Felix2 are here: felix2.ru/documentation
After installation, we log in using the root username and password specified during installation.
After installation, the eth0 network interface is configured to work with the internal network:
IP-: 10.1.1.1
: 255.255.255.0The eth1 interface needs to be configured to work with a higher ISP:
ifconfig eth1 1.1.1.2 netmask 255.255.255.0 route add default gw 1.1.1.1 Here 1.1.1.2 is the IP address given to us by the upstream Internet service provider, 1.1.1.1 is the IP address of the provider's gateway.
To ensure that the network configuration does not reset after a reboot, it must be described in the / etc / network / interfaces file
Install the ISC-DHCP server:
apt-get update apt-get install isc-dhcp-server Immediately after installing the DHCP server will not start, so it is not yet configured:
root@felix2:~# cat /var/log/syslog | grep dhcp | tail -n 10 May 8 21:48:33 felix2 dhcpd: May 8 21:48:33 felix2 dhcpd: May 8 21:48:33 felix2 dhcpd: No subnet declaration for eth0 (10.1.1.1). May 8 21:48:33 felix2 dhcpd: ** Ignoring requests on eth0. If this is not what May 8 21:48:33 felix2 dhcpd: you want, please write a subnet declaration May 8 21:48:33 felix2 dhcpd: in your dhcpd.conf file for the network segment May 8 21:48:33 felix2 dhcpd: to which interface eth0 is attached. ** May 8 21:48:33 felix2 dhcpd: May 8 21:48:33 felix2 dhcpd: May 8 21:48:33 felix2 dhcpd: Not configured to listen on any interfaces! Configuration
The ISC DHCP server configuration template file (dhcp_opt82_ip-port.conf) and all other necessary configuration files can be downloaded from here:
ftp://download.felix2.ru/config.examples/felix2_dhcp_opt82.tar.gz
Download, unpack, replace configuration files:
wget ftp://download.felix2.ru/config.examples/felix2_dhcp_opt82.tar.gz tar -xf felix2_dhcp_opt82.tar.gz -C /etc/felix2/ Restart ASR Felix2:
/etc/init.d/felix2 restart Creating equipment and test user in ACP Felix2
Log in to the web admin interface. You can use a test machine for this by temporarily putting a static IP address on it (for example, 10.1.1.10/24). The web-based admin interface is available on port 444 over HTTPS. Default login / password: su / su.
In order for additional fields to appear in the interface, we indicate in the interface settings (Configuration -> Interface settings) that the DHCP-Opt82 address issuance scheme is used:
Now we will add our switch to the equipment base (Equipment -> New equipment):
Status: Established, IP address: 10.1.1.253, Model: DES-3200-28, and click "Add."
Create a new user (Users -> New User). We select the connection address. The system will automatically suggest the subnet used in this house and select the first free IP address.
Select the equipment to which the user will be connected. The system will offer to choose equipment from the list of equipment installed in this house.
Specify that the user will be connected to the first port of the switch. Mark the flag "Connection completed" and click "Add."
After that, we will replenish the account (Account replenishment -> New replenishment), activate the tariff plan (Payments -> Payment at the rate). View the current status of the user can be in (Users -> Personal statistics).
Check that the server's DHCP configuration file is updated:
cat /etc/dhcp/dhcpd.conf Check that the DHCP server works:
ps ax | grep dhcpd Switch Setup
Now you need to configure the switch. If the switch is out of the box, the instruction must specify the default IP address. If the equipment is “used” and you do not know what its IP address / login / password is, you need to reset the configuration via the console connection.
In this article we will use the switch out of the box DES-3200-28.
Put a static IP address on a test machine (for example, 10.90.90.1/8) Connect to the switch via telnet protocol:
Turn on, configure DHCP Relay:
enable dhcp_relay config dhcp_relay hops 16 time 0 config dhcp_relay option_82 state enable config dhcp_relay option_82 check disable config dhcp_relay option_82 policy replace config dhcp_relay option_82 remote_id default config dhcp_relay add ipif System 10.1.1.1 Now the switch will intercept DHCP requests, add authentication information (option 82) and send to a DHCP server (10.1.1.1)
Set the default route and new switch IP address:
create iproute default 10.1.1.1 config ipif System vlan default ipaddress 10.1.1.253/24 state enable After the last command (change IP-address), the connection will be terminated. We put a static IP address on the test machine (for example, 10.1.1.10/24). We connect to the switchboard at a new address, save the configuration:
save We enable on the test computer receiving network settings via DHCP.
We connect the test computer to the first port of the switch. We check that DHCP-Relay packets from the switch reach the server and the client receives an IP address:
tail –n 1000 /var/log/syslog | grep dhcpd We check that user data is displayed correctly in the Felix2 ASR interface.
Real network diagram
The network scheme considered above was a test one (you cannot connect many users to one switch). Below is an example of a real network diagram (no more than ~ 600 subscribers). Uplink from the trunk provider comes to the optical port of the switch. This port needs to be combined in a VLAN with the port where the eth1 network interface card is connected from the server with Felix2 ACP.
For example, combine 1 and 24 port in 1000y VLAN:
create vlan v1000 tag 1000 config vlan v1000 add untagged 1,24 As the network grows, it is also advisable to spread the houses across separate VLANs.
Network Map with Dedicated Router
With the growth of intranet (local) traffic, the connection between the switch and the server with the Felix2 ASR, which simultaneously performs the role of a router, will become a bottleneck. To avoid this, you need to install a dedicated router.
You also need to tell ASR Felix2 to get the ARP table from the external router. Edit the /etc/felix2/felix2.xml file:
<arp_fetcher> <connection name="DGS-3627G" address="10.1.1.1" port="22" protocol="ssh" login="admin" passwd="12345" interface="DLINK" /> </arp_fetcher> The arp_fetcher module can receive the ARP address table from CISCO equipment (interface = "CISCO"), D-Link (interface = "DLINK"), or from a Linux-based software router (interface = "Linux").
At the request of habrazhiteli, an example of a system-generated configuration file for an ISC DHCP server has been added.
In this example, users connected to ports 1-3 of the switch with the address 10.1.1.253 are given addresses 10.1.1.2-10.1.1.4, respectively.
# # Automatically generated configuration file # Filename: dhcpd.conf (/etc/dhcp/dhcpd.conf) # Generator: Felix2 # Creation Date: 15.05.2012 11:31:36 # # # option definitions common to all supported networks... # authoritative; default-lease-time 86400; max-lease-time 86400; ddns-update-style none; log-facility local7; if exists agent.remote-id and exists agent.circuit-id { if binary-to-ascii(16, 8, "", substring(option agent.remote-id, 2, 1)) = "0" { set switch-mac = concat("0", binary-to-ascii(16, 8, "", substring(option agent.remote-id, 2, 1)), ":", binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 3, 6))); } else { set switch-mac = binary-to-ascii(16, 8, ":", substring(option agent.remote-id, 2, 6)); } set switch-addr = binary-to-ascii(10, 8, ".", packet(24, 4)); set switch-port = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 5, 1)); set switch-port-vlan = binary-to-ascii(10, 8, "", substring(option agent.circuit-id, 2, 2)); log(info, concat("- Lease: ", binary-to-ascii(10, 8, ".", leased-address), " via IP: ", switch-addr, " (MAC: ", switch-mac, ") on port: ", switch-port, " in VLAN: ", switch-port-vlan)); } # # subnets # subnet 10.1.1.0 netmask 255.255.255.0 { option routers 10.1.1.1; option domain-name-servers 10.1.1.1; class "1:1" {match if binary-to-ascii(10, 8, ".", packet(24, 4))="10.1.1.253" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "1";} pool {range 10.1.1.2; allow members of "1:1";} class "1:2" {match if binary-to-ascii(10, 8, ".", packet(24, 4))="10.1.1.253" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "2";} pool {range 10.1.1.3; allow members of "1:2";} class "1:3" {match if binary-to-ascii(10, 8, ".", packet(24, 4))="10.1.1.253" and binary-to-ascii(10, 8, "", suffix(option agent.circuit-id, 1)) = "3";} pool {range 10.1.1.4; allow members of "1:3";} } Source: https://habr.com/ru/post/143846/
All Articles