Two DHCP servers on Centos7 with failover, dhcp-relay and dynamic zone update
Greetings to all habrayuzerov. My first experience of writing articles on Habré, so any constructive criticism is welcome. I decided to write only because I recently faced a task that I could not find a solution to.
The essence of the task is that in a large organization a fault-tolerant DHCP server was needed, with dhcp-relay and the ability to quickly synchronize the configuration. The main point is that in most of the manuals I have found, either the failover option or dhcp-relay is considered, and nowhere both options are considered together and even with the convenient configuration synchronization method. Suddenly, to whom my article will help a little?
The essence of the problem is as follows: there is a large enterprise, a network of> 1000 computers, a single vlan, 2 domain controllers, there is no dhcp in the network (!). The previous admins could only do this, but this is a separate story and not for Habr.
It is clear that the first task was to upgrade the network, namely segmentation into vlan and implementation of dhcp. When analyzing the tasks, the following requirements were developed:
')
I will not describe the long reflections and readings of various articles and manuals, I quote the final working solution:
Network layout:
We have:
Since some things are quite trivial and are described on the Internet more than once, I will not describe them in detail.
We got 2 dhcp servers, if one of them disconnects, its function picks up the second, while both respond to requests from the dhcp relay agent and, based on the line set in dhcp option 82, circuit-id (in our case, the VLAN name) gives each segment his range.
To replicate servers, just write a script that synchronizes the files in the "/etc/dhcp/dhcpd.d/" directory and restarts the dhcp-daemon after that. I will not bring the script myself because of a very “crutch” code that was written on my knee and very quickly. It is possible to synchronize configs using a utility like csync2 or rsync.
To add static bindings, a separate script was also written, which I am ashamed to bring here for the same reasons. Anyone can frolic with it himself or add static bindings "handles".
The only "but" - when adding a new VLAN, the main configuration file "/etc/dhcp/dhcpd.conf" will have to be controlled by handles, since I could not make include for the whole directory, only for specific files.
Perhaps this can be bypassed with a double include: first, in the main file, to an auxiliary file, and in the auxiliary file, to specific VLAN files, and then to synchronize the auxiliary file, but I did not bother.
I repeat once again - most of the information I described on the Internet is in bulk, but nowhere have I found how to combine failover, dhcp-relay and make it convenient for synchronization. Waiting for your comments and suggestions.
The essence of the task is that in a large organization a fault-tolerant DHCP server was needed, with dhcp-relay and the ability to quickly synchronize the configuration. The main point is that in most of the manuals I have found, either the failover option or dhcp-relay is considered, and nowhere both options are considered together and even with the convenient configuration synchronization method. Suddenly, to whom my article will help a little?
The essence of the problem is as follows: there is a large enterprise, a network of> 1000 computers, a single vlan, 2 domain controllers, there is no dhcp in the network (!). The previous admins could only do this, but this is a separate story and not for Habr.
It is clear that the first task was to upgrade the network, namely segmentation into vlan and implementation of dhcp. When analyzing the tasks, the following requirements were developed:
')
- Fault tolerance - independence of any iron
- Considering the plans for network segmentation - it is necessary that the server knows which vlan to which addressing to send
- “Replication” - considering that it is planned to use dhcp “bindings” by MAC, it is necessary that these “bindings” always work (for example, network printers)
- Automatic maintenance of reverse DNS zones
I will not describe the long reflections and readings of various articles and manuals, I quote the final working solution:
- Two virtual machines on two different hypervisors
- On machines worth centos7 and isc-dhcpd
- On dhcp configured failover, dynamic update zones and recognition option 82
- Option 82 tagged the VLAN from which the request came, give the server the central L3 + switches, on which all VLANs are distributed
- Since most admins are poorly oriented in linux and vim, we need to automate the process of adding static bindings and the configuration replication mechanism
Network layout:
We have:
- DC0 and DC1 with configured DNS servers, 10.1.2.2 and 10.1.2.3
- DHCP0 and DHCP1 , 10.1.2.4 and 10.1.2.14
- User VLANs: 10, 11, 20, 21
- Domain corp.example.ru
- Additional DNS zone (for linux servers) - example.lan
- Routers based on L3 switches with dhcp option 82 support. In all VLANs they have the 1st IP address, connected via OSPF
Since some things are quite trivial and are described on the Internet more than once, I will not describe them in detail.
- To begin with, we create all reverse zones for all VLANs in Windows DNS, allow unsafe updates for zones.
- Install the minimum centos 7 on virtual machines, install the dhcp package.
- We configure DHCP-relay on managed switch interfaces. At the same time, the string “VLAN10”, etc. comes as the circuit-id
- Editing /etc/dhcp/dhcpd.conf
# DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # # ddns-update-style interim; # ddns-domainname "corp.example.ru"; # update-static-leases on; # local-address 10.1.2.4; # # , DHCP-relay if exists agent.circuit-id { log ( info, concat( " Accepted DHCP RELAY request for ", binary-to-ascii (10, 8, ".", leased-address), " Network segment: ", option agent.circuit-id, " DHCP Agent: ", option agent.remote-id)); } # this DHCP server to be declared valid authoritative; # failover peer "dhcp-failover" { primary; # address 10.1.2.4; # port 519; # peer address 10.1.2.14; # DHCP peer port 520; # DHCP # max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; mclt 1800; split 128; # DHCP # , # "" . auto-partner-down 86400; # @baf28 } # option domain-name "corp.example.ru"; # DNS- option domain-name-servers 10.1.2.2, 10.1.2.3; # DNS-. Windows- option domain-search "example.lan corp.example.ru"; # default-lease-time 604800; # 7 days max-lease-time 2419200; # 4 weeks # default netmask /24 option subnet-mask 255.255.255.0; # Servers vlan - DHCP subnet 10.1.2.0 netmask 255.255.255.0 { } # VLAN' include "/etc/dhcp/dhcpd.d/vlan10.conf"; include "/etc/dhcp/dhcpd.d/vlan11.conf"; include "/etc/dhcp/dhcpd.d/vlan20.conf"; include "/etc/dhcp/dhcpd.d/vlan21.conf"; - Now we add a configuration file for each VLAN (using the example of /etc/dhcp/dhcpd.d/vlan10.conf )
# zone 10.1.10.in-addr.arpa. { primary 10.1.2.2; secondary 10.1.2.3; } # DHCP-relay class "VLAN10" { match if option agent.circuit-id = "VLAN10"; } # subnet 10.1.10.0 netmask 255.255.255.0 { option routers 10.1.10.1; pool { failover peer "dhcp-failover"; # , failover range 10.1.10.51 10.2.56.254; # allow members of "VLAN10"; # } # === Static hosts # Admin host admin { hardware ethernet 01:23:45:67:89:ab; fixed-address 10.1.10.20; } # Admin's printer host admin { hardware ethernet cd:ef:01:23:45:67; fixed-address 10.1.10.21; } # , # # Insert automatic text above this } - For the second DHCP server we create similar configs, we only fix it in the main file:
failover peer "dhcp-failover" { secondary; # address 10.1.2.14; # port 520; # peer address 10.1.2.4; # DHCP peer port 519; # DHCP # max-response-delay 30; max-unacked-updates 10; load balance max seconds 3; # DHCP # , # "" . auto-partner-down 86400; # @baf28 }
We got 2 dhcp servers, if one of them disconnects, its function picks up the second, while both respond to requests from the dhcp relay agent and, based on the line set in dhcp option 82, circuit-id (in our case, the VLAN name) gives each segment his range.
To replicate servers, just write a script that synchronizes the files in the "/etc/dhcp/dhcpd.d/" directory and restarts the dhcp-daemon after that. I will not bring the script myself because of a very “crutch” code that was written on my knee and very quickly. It is possible to synchronize configs using a utility like csync2 or rsync.
To add static bindings, a separate script was also written, which I am ashamed to bring here for the same reasons. Anyone can frolic with it himself or add static bindings "handles".
The only "but" - when adding a new VLAN, the main configuration file "/etc/dhcp/dhcpd.conf" will have to be controlled by handles, since I could not make include for the whole directory, only for specific files.
Perhaps this can be bypassed with a double include: first, in the main file, to an auxiliary file, and in the auxiliary file, to specific VLAN files, and then to synchronize the auxiliary file, but I did not bother.
I repeat once again - most of the information I described on the Internet is in bulk, but nowhere have I found how to combine failover, dhcp-relay and make it convenient for synchronization. Waiting for your comments and suggestions.
Source: https://habr.com/ru/post/323984/
All Articles