Eric Stewart: Running Off At The Mouth

ISC DHCP – “subnet” vs “pool” Declarations

by Eric Stewart on Aug.08, 2014, under Networking, Technology

This should be fairly quick.  We ran into an issue with our ISC DHCP server that isn’t a bug, but a misconfiguration on our part.

We had a client/customer request a reserve lease so that he could eventually request some ACLs/Firewall changes to access a resource and not have to worry about his IP changing any time soon.  So a coworker entered the lease reservation.  Here’s the shared-network definition that came about as a result:

host printer { hardware ethernet 11:11:11:11:11:11; fixed-address 10.0.249.148; }
host pc101   { hardware ethernet 11:11:11:11:11:12; fixed-address 10.0.249.149; }
shared-network BOOYAH {
     authoritative;
     subnet 10.0.249.128 netmask 255.255.255.128 {
          pool {
               range 10.0.249.166 10.0.249.251;
               option routers 10.0.249.254;
               option broadcast-address 10.0.249.255;
               failover peer "no1-no2";
               deny dynamic bootp clients;
          }
          option domain-name-servers 10.0.1.1, 10.0.1.2;
          option domain-name "blah.example.com";
          option subnet-mask 255.255.255.128;
          default-lease-time 900;
          max-lease-time 900;
          ddns-updates off;
          ignore bootp;
     }
}

A bit after making the change (essentially, just adding the PC101 line), he gets a call that the user can only reach a few resources.  Looking at the ipconfig from the system, the entry for the default gateway was blank.  The client’s machine had no clue where to go for resources not on the local subnet.

Those with even a little bit of experience with ISC’s DHCPD server may have already spotted the issue.  In our case, it took (for me, at least) an embarrassingly long time to spot.

See, it turns out that, with the “pool” definition, you specify the “range” of addresses the settings the “pool” will use.  The “pool” will also use the settings defined within the “subnet” declaration.  With the reserved leases outside of the “shared-network” definition, it appears that they will use settings within the “subnet”, but not within the “pool”.

So (theoretically, as we haven’t 100% tested it yet, nor conferred with our BigBrain), we moved the “option routers” and “option broadcast-address” down with the rest of the “option” lines, outside of the “pool” definition (where, as I discovered, it resides with most, if not all, of the “shared-network”s that have reserved leases associated with them).  Meaning, this is what the config looks like now:

host printer { hardware ethernet 11:11:11:11:11:11; fixed-address 10.0.249.148; }
host pc101   { hardware ethernet 11:11:11:11:11:12; fixed-address 10.0.249.149; }
shared-network BOOYAH {
     authoritative;
     subnet 10.0.249.128 netmask 255.255.255.128 {
          pool {
               range 10.0.249.166 10.0.249.251;
               failover peer "no1-no2";
               deny dynamic bootp clients;
          }
          option domain-name-servers 10.0.1.1, 10.0.1.2;
          option domain-name "blah.example.com";
          option routers 10.0.249.254;
          option broadcast-address 10.0.249.255;
          option subnet-mask 255.255.255.128;
          default-lease-time 900;
          max-lease-time 900;
          ddns-updates off;
          ignore bootp;
     }
}

Time will tell if the solution is correct.

:

Hi! Did you get all the way down here and not find an answer to your question? The two preferred options for contacting me are:
  • Twitter: Just start your Twitter message with @BotFodder and I'll respond to it when I see it.
  • Reply to the post: Register (if you haven't already) on the site, submit your question as a comment to the blog post, and I'll reply as a comment.

Leave a Reply

You must be logged in to post a comment.