vlan10---->firewall----->linux dhcp server
vlan20---------↑
我有兩個vlan(vlan10和vlan20),我想使用Linux DHCP伺服器來集中指定IP位址。
在 fortigate 防火牆中,我使用 dhcp 中繼為客戶端取得 dhcp ip。
在linux dhcp伺服器中,我使用[host]部分來限制客戶端取得靜態IP並允許已知主機取得動態IP。
########## config start #########
subnet 192.168.10.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
option domain-name-servers 192.168.8.248,192.168.8.246;
option routers 192.168.10.1;
allow unknown-clients;
range 192.168.10.11 192.168.10.210;
}
subnet 192.168.20.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option domain-name-servers 192.168.8.248,192.168.8.246;
option routers 192.168.20.1;
deny unknown-clients;
range 192.168.20.11 192.168.20.210;
}
host host1 {
hardware ethernet 11:11:11:11:11:11;
fixed-address 192.168.10.20;
}
host host2 {
hardware ethernet 22:22:22:22:22:22;
fixed-address 192.168.10.21;
}
host host3 {
hardware ethernet 33:33:33:33:33:33;
fixed-address 192.168.20.20;
}
host host4 {
hardware ethernet 44:44:44:44:44:44;
}
########## config end #########
在此配置中,所有用戶端都可以從 vlan10 或 vlan20 取得 ip,但我希望 host4 只能在 vlan20 中取得動態 ip。
當host4連線到vlan10時,host4無法從dhcp伺服器取得任何IP位址。
如何修改配置?
答案1
雖然我目前無法測試這一點,並且可能需要對語法進行一些調整,您可以使用“群組”定義並列出 vlan10 和 vlan20 群組中的所有客戶端,但在 vlan10 檔案中,您告訴 host4“拒絕啟動;”應該這樣做。
我目前無法自己測試這一點,但也許值得一試?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-dhcp-configuring-server.html#group https://www.daemon-systems.org/man/dhcpd.conf.5.html用於拒絕啟動
您可能還想查看“includes”指令是否有效,因此您可以執行以下操作:
dhcp.conf:
option domain-name-servers 192.168.8.248,192.168.8.246;
include "/etc/dhcp/vlan10.txt"
include "/etc/dhcp/vlan20.txt"
vlan10.txt
group {
subnet 192.168.10.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.10.255;
option routers 192.168.10.1;
allow unknown-clients;
range 192.168.10.11 192.168.10.210;
include "/etc/dhcp/vlan10.hosts.txt"
include "/etc/dhcp/vlan10.deny.hosts.txt"
}
}
vlan20.txt
group {
subnet 192.168.20.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option routers 192.168.20.1;
deny unknown-clients;
range 192.168.20.11 192.168.20.210;
include "/etc/dhcp/vlan10.hosts.txt"
include "/etc/dhcp/vlan20.hosts.txt"
}
}
vlan10.hosts.txt
host host1 { hardware ethernet 11:11:11:11:11:11; fixed-address 192.168.10.20; }
host host2 { hardware ethernet 22:22:22:22:22:22; fixed-address 192.168.10.21; }
host host3 { hardware ethernet 33:33:33:33:33:33; fixed-address 192.168.20.20; }
vlan10.deny.hosts.txt
host host4 { hardware ethernet 44:44:44:44:44:44; deny booting; }
vlan20.hosts.txt
host host4 { hardware ethernet 44:44:44:44:44:44; }
答案2
也許創建一個與您的 host4 匹配的類別並添加一行“deny Members of 'yourClass';”在您的子網路配置中可以提供協助
一個例子 :
class "raspberry"
{
# match mac starting with b8:27:eb
match if substring(hardware, 1, 3) = b8:27:eb;
}
subnet 192.168.10.0 netmask 255.255.254.0 {
option routers 192.168.10.254;
pool {
range 192.168.10.11 192.168.10.210;
deny members of "raspberry";
}
}