2010年11月5日星期五

zz HOWTO Configure DHCP failover

http://consultancy.edvoncken.net/index.php/HOWTO_Configure_DHCP_failover



The ISC DHCP server currently supports failover using a maximum of 2 servers: primary and secondary. This is an active/active setup; a simple form of load balancing is used to spread the load across both servers.
In this example, we'll be setting up failover DHCP on two servers, 192.168.123.1 and 192.168.123.2. These servers also run DNS and NTP. Dynamic clients will get an address in the range 192.168.123.100-199. Static leases are defined for several networked devices.
Since the ISC DHCP server allows the use of "include-files" in the configuration, we will use them to help keep the configurations simple and in sync across servers.

Contents

 [hide]

Installation

Install the following package, for example using yum:
dhcp
This example is based on version dhcp-3.0.5-18.el5.

Configuration

The configuration consists of several sections, each stored in a separate file to make maintenance easier.

Failover parameters

For the Primary, define the following failover parameters in /etc/dhcpd.conf_primary:
##########################
 # DHCP Failover, Primary #
 ##########################
 
 failover peer "example" {                   # Failover configuration
        primary;                             # I am the primary
        address 192.168.123.1;               # My IP address
        port 647;
        peer address 192.168.123.2;          # Peer's IP address
        peer port 647;
        max-response-delay 60;
        max-unacked-updates 10;
        mclt 3600;
        split 128;                           # Leave this at 128, only defined on Primary
        load balance max seconds 3;
 }
For the Secondary, define the following failover parameters in /etc/dhcpd.conf_secondary:
############################
 # DHCP Failover, Secondary #
 ############################
 
 failover peer "example" {                   # Fail over configuration
        secondary;                           # I am the secondary
        address 192.168.123.2;               # My ip address
        port 647;
        peer address 192.168.123.1;          # Peer's ip address
        peer port 647;
        max-response-delay 60;
        max-unacked-updates 10;
        mclt 3600;
        load balance max seconds 3;
 }

Subnet declaration

Write a subnet declaration using our failover pool in /etc/dhcpd.conf_subnet. This section is identical on Primary and Secondary:
subnet 192.168.123.0 netmask 255.255.255.0  # zone to issue addresses from
 {
       pool {
               failover peer "example";      # Pool for dhcp leases with failover bootp not allowed
               deny dynamic bootp clients;
               range 192.168.123.100 192.168.123.190;
       }
       pool {                                # Accomodate our bootp clients here; no replication and failover
               range 192.168.123.191 192.168.123.199;
       }
       allow unknown-clients;
 
       authoritative;
 
       option routers             192.168.123.254;
       option subnet-mask         255.255.255.0;
       option broadcast-address   192.168.123.255;
       option domain-name         "example.local.";
       option domain-name-servers 192.168.123.1, 192.168.123.2;
       option ntp-servers         192.168.123.1, 192.168.123.2;
       option netbios-node-type   8;
 
       default-lease-time         300;
       max-lease-time             600;
 
       filename                   "/pxelinux.0";
       next-server                192.168.123.1;
 }
Note: the manpage for dhcpd.conf(5) states that dynamic BOOTP leases are not compatible with failover.
Therefore, BOOTP should be disabled in in pools using failover.

Dynamic DNS

If you are configuring Dynamic DNS, write the settings in /etc/dhcpd.conf_subnet. This section is identical on Primary and Secondary:
ddns-update-style interim;
 ddns-updates on;
 ddns-domainname "example.local."; 
 ignore client-updates;
 
 # Forward zone for DNS updates
 zone example.local
 {
       primary 192.168.123.1;                # update the primary DNS
       key ddns-update;                      # key to use for the update
 }
 
 # Reverse zone for DNS updates
 zone 123.168.192.in-addr.arpa
 {
       primary 192.168.123.1;                # update the primary DNS
       key ddns-update;                      # key for update
 }
Note: for security reasons, DNS updates need to be "signed" using a public/private key mechanism.
The "key ddns-update" statement specifies that DHCP will use a key named "ddns-update" during update requests.
For more information on this key, please refer to HOWTO Configure Dynamic DNS.

Static leases

For more flexible IP address management, configure all devices to use DHCP and set up static leases for these devices.
In /etc/dhcpd.conf_static, create all static leases that you may need (outside of the DHCP/BOOTP range!). Again, this section is identical on Primary and Secondary:
# Axis Security Camera
 host cam-reception {
       hardware ethernet 00:40:12:c0:ff:ee;
       fixed-address 192.168.123.200;
 }
 
 # Axis Security Camera
 host cam-fireexit {
       hardware ethernet 00:40:fe:ed:fa:ce;
       fixed-address 192.168.123.201;
 }
 
 # Axis Security Camera
 host cam-frontdoor {
       hardware ethernet 00:40:de:ad:be:ef;
       fixed-address 192.168.123.202;
 }

Overall configuration

The configuration of the Primary and Secondary DHCP servers is mostly identical, except for the Failover parameters. By keeping the sub-configurations in sync across servers (perhaps using rsync), maintenance is reduced to a minimum.
The overall configuration file, /etc/dhcpd.conf, is only slightly different on Primary and Secondary.

Configuring /etc/dhcpd.conf on the Primary

# DHCP Server - Configuration file for Primary
 #
 # File $Id: dhcpd.conf,v 1.21 2009/07/09 16:26:57 root Exp root $
 
 # Global configuration
 set vendorclass = option vendor-class-identifier;
 
 # Dynamic DNS Updates
 include "/etc/ddns-update.dnskey";
 include "/etc/dhcpd.conf_ddns";
 
 # DHCP Failover, Primary
 include "/etc/dhcpd.conf_primary";
 
 # Subnet declaration
 include "/etc/dhcpd.conf_subnet";
 
 # Static IP addresses
 include "/etc/dhcpd.conf_static";
 
 # EOF

Configuring /etc/dhcpd.conf on the Secondary

# DHCP Server - Configuration file for Secondary
 #
 # File $Id: dhcpd.conf,v 1.9 2009/07/09 16:31:20 root Exp root $
 
 # Global configuration
 set vendorclass = option vendor-class-identifier;
 
 # Dynamic DNS Updates
 include "/etc/ddns-update.dnskey";
 include "/etc/dhcpd.conf_ddns";
 
 # DHCP Failover, Secondary
 include "/etc/dhcpd.conf_secondary";
 
 # Subnet declaration
 include "/etc/dhcpd.conf_subnet";
 
 # Static IP addresses
 include "/etc/dhcpd.conf_static";
 
 # EOF

Miscellaneous


SElinux considerations

By default, SELinux policy does not allow the BIND daemon (named) to write to files labeled with the name_zone_t type, which is used for master zone files. The zone files should be stored under /var/named/chroot/var/named/data or /var/named/chroot/var/named/dynamic.
# restorecon -R -v /var/named/chroot/var/named/data
 # restorecon -R -v /var/named/chroot/var/named/dynamic
This will reset the zone files to the named_cache_t type, hopefully solving the "SELinux is preventing named (named_t) "unlink"" error messages.

Firewall settings

Your firewall should allow inbound traffic on 69/UDP, 69/TCP and 647/TCP. Sample entries for /etc/sysconfig/iptables:
# DHCP server
 -A INPUT -p udp -m udp --dport 69 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 69 -j ACCEPT
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 647 -j ACCEPT

Starting the service

On both DHCP Primary and Secondary, run the following commands as root:
# chkconfig dhcpd on
 # service dhcpd start

References


See Also


Navigation

发帖者 时间:
标签:

没有评论:

发表评论

订阅: 博文评论 (Atom)