IP unnumbered on Debian or distribute addresses sparingly
When we received a block of IP addresses for a new technical site in Warsaw, the question automatically arose about how to manage them more economically - there is never a lot of addresses, even for a freshly baked LIR.
When designing a network in a new place like new buns:
Theoretically, all these moments are solved using ordinary VLANs. However, there is a problem with address overruns - it is still a pity for the client who ordered the server with one address to give up the network / 30 and lose three addresses for nothing. It is also a pity for the address and in the reverse situation - the client needs 6 available addresses, and the network / 29 will no longer fit, we have to issue a network / 28 and lose 7 pieces.
')
This is where IP unnumbered technology comes to the rescue. With its help, you can give the client at least one address, at least 6, at least 99. At Habré, they already wrote about it, however, the article is already quite old and did not fit us in its pure form - with that configuration, isc-dhcpd does not listen to client interfaces. We also wanted to make a network boot.
So, at the entrance we have:
First, create a technical VLAN, which will be a large network. Add to / etc / network / interfaces:
And raise the interface itself:
The address 99.111.222.129 will act as a gateway for client machines, in whose network settings there should not be any exotics - the client administrator should not delve into the nuances of our network construction.
Next, add client interfaces to / etc / network / interfaces:
And raise them:
Addresses of the form 10.31.11.1 on interfaces are needed for one purpose - for the dhcp-daemon to listen to these interfaces. They do not appear anywhere else and the client does not know about them.
To enable isc-dhcpd to work on client interfaces, add to /etc/dhcp/dhcpd.conf:
Also, in order not to edit it every time a client is added, in / etc / default / isc-dhcp-server we comment the option
Setting up the boot machines on the network is described in many sources, because here we omit it. It is important to us that the DHCP daemon itself listens to these interfaces; without this, nothing will load exactly.
If client machines need to see each other, add to /etc/sysctl.conf:
And we apply it on the fly:
Next, configure the switches.
That's it, now the client can register the usual view settings on his network interface.
And he will receive only the addresses allocated to him, the rest simply will not work, so that he does not hang on his interface. And we spent from our network exactly the number of addresses that the customer ordered.
When designing a network in a new place like new buns:
- To some extent isolate client servers from foreign traffic;
- Do not let unscrupulous customers hang themselves on the interface addresses bona fide;
- If necessary, be able to cut traffic without special load;
- To be able to give the client any number of IP addresses.
Theoretically, all these moments are solved using ordinary VLANs. However, there is a problem with address overruns - it is still a pity for the client who ordered the server with one address to give up the network / 30 and lose three addresses for nothing. It is also a pity for the address and in the reverse situation - the client needs 6 available addresses, and the network / 29 will no longer fit, we have to issue a network / 28 and lose 7 pieces.
')
This is where IP unnumbered technology comes to the rescue. With its help, you can give the client at least one address, at least 6, at least 99. At Habré, they already wrote about it, however, the article is already quite old and did not fit us in its pure form - with that configuration, isc-dhcpd does not listen to client interfaces. We also wanted to make a network boot.
So, at the entrance we have:
- A large network, for example, 99.111.222.129/25
- Linux Debian 8/9 Router
- Layer-2 switch, for example, Cisco / Juniper
- Three clients who need to issue 1, 2 and 3 IP addresses
- DHCP server to listen to client vilans
First, create a technical VLAN, which will be a large network. Add to / etc / network / interfaces:
# Base interface for IP Unnumbered
auto eth1.3000
iface eth1.3000 inet static
address 99.111.222.129
netmask 255.255.255.128And raise the interface itself:
ifup eth1.3000The address 99.111.222.129 will act as a gateway for client machines, in whose network settings there should not be any exotics - the client administrator should not delve into the nuances of our network construction.
Next, add client interfaces to / etc / network / interfaces:
# 1
auto eth1.3111
iface eth1.3111 inet static
address 10.31.11.1
netmask 255.255.255.0
up ip ro add 99.111.222.130 dev eth1.3111 src 99.111.222.129
down ip ro del 99.111.222.130 dev eth1.3111 src 99.111.222.129
# 2
auto eth1.3112
iface eth1.3112 inet static
address 10.31.12.1
netmask 255.255.255.0
up ip ro add 99.111.222.131 dev eth1.3112 src 99.111.222.129
up ip ro add 99.111.222.132 dev eth1.3112 src 99.111.222.129
down ip ro del 99.111.222.131 dev eth1.3112 src 99.111.222.129
down ip ro del 99.111.222.132 dev eth1.3112 src 99.111.222.129
# 3
auto eth1.3113
iface eth1.3113 inet static
address 10.31.13.1
netmask 255.255.255.0
up ip ro add 99.111.222.133 dev eth1.3113 src 99.111.222.129
up ip ro add 99.111.222.134 dev eth1.3113 src 99.111.222.129
up ip ro add 99.111.222.135 dev eth1.3113 src 99.111.222.129
down ip ro del 99.111.222.133 dev eth1.3113 src 99.111.222.129
down ip ro del 99.111.222.134 dev eth1.3113 src 99.111.222.129
down ip ro del 99.111.222.135 dev eth1.3113 src 99.111.222.129
And raise them:
ifup eth1.3111
ifup eth1.3112
ifup eth1.3113Addresses of the form 10.31.11.1 on interfaces are needed for one purpose - for the dhcp-daemon to listen to these interfaces. They do not appear anywhere else and the client does not know about them.
To enable isc-dhcpd to work on client interfaces, add to /etc/dhcp/dhcpd.conf:
subnet 10.31.11.0 netmask 255.255.255.0 {}
subnet 10.31.12.0 netmask 255.255.255.0 {}
subnet 10.31.13.0 netmask 255.255.255.0 {}Also, in order not to edit it every time a client is added, in / etc / default / isc-dhcp-server we comment the option
#INTERFACES=...Setting up the boot machines on the network is described in many sources, because here we omit it. It is important to us that the DHCP daemon itself listens to these interfaces; without this, nothing will load exactly.
If client machines need to see each other, add to /etc/sysctl.conf:
net.ipv4.conf.all.proxy_arp=1And we apply it on the fly:
sysctl -w net.ipv4.conf.all.proxy_arp=1Next, configure the switches.
Juniper example
Here, the xe-0/1/0 port looks at our router, and the clients live on the ge-0/0/0 ports - ge-0/0/2.
set vlans vlan3111 vlan-id 3111
set vlans vlan3112 vlan-id 3112
set vlans vlan3113 vlan-id 3113
set interfaces xe-0/1/0 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/1/0 unit 0 family ethernet-switching vlan members 3111-3113
set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching port-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 3111
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 3112
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members 3113
Here, the xe-0/1/0 port looks at our router, and the clients live on the ge-0/0/0 ports - ge-0/0/2.
Cisco example
Here, the GigabitEthernet0 / 48 port looks at our router, and the GigabitEthernet0 / 3 ports look at the GigabitEthernet0 / 3 ports.
vlan 3111
name vlan3111
vlan 3112
name vlan3112
vlan 3113
name vlan3113
interface GigabitEthernet0/48
switchport mode trunk
switchport trunk allowed vlan add 3111-3113
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 3111
interface GigabitEthernet0/2
switchport mode access
switchport access vlan 3112
interface GigabitEthernet0/3
switchport mode access
switchport access vlan 3113Here, the GigabitEthernet0 / 48 port looks at our router, and the GigabitEthernet0 / 3 ports look at the GigabitEthernet0 / 3 ports.
That's it, now the client can register the usual view settings on his network interface.
auto eth0
iface eth0 inet static
address 99.111.222.130
netmask 255.255.255.128
gateway 99.111.222.129
And he will receive only the addresses allocated to him, the rest simply will not work, so that he does not hang on his interface. And we spent from our network exactly the number of addresses that the customer ordered.
Source: https://habr.com/ru/post/334124/
All Articles