Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DHCP Management Across a Diversified Network?

timothy posted more than 4 years ago | from the send-that-packet-that-way dept.

Networking 100

ET Admin writes "I work for a small Wireless ISP, where we are deploying new network hardware to allow for growth and contain broadcast traffic. All routing/switching equipment is Cisco. We use Linux stand-alone boxes and VMs (running on Win 2003 boxes). We have decided on a hybrid VLAN layout where we have certain VLANs limited by location, and other VLANs that are global across the network. And I want DHCP served across it all. Does anyone have experience with IPAM software that handles multiple DHCP servers? Our network is small so spending a couple grand is overkill at this point. Any recomendations to help me decide between serving DHCP from the Nix boxes, or from the Cisco gear? Knowing that a single DHCP server will handle from 100-500 hosts."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered


DHCP Relaying (5, Informative)

Anonymous Coward | more than 4 years ago | (#28366801)

setup DHCP Relaying on the switches to forward/relay all dhcp request across the vlans and subnets to one (or two) dhcp servers

Re:DHCP Relaying (3, Informative)

TaliesinWI (454205) | more than 4 years ago | (#28366869)

Done in one. You can even train ISC DHCP to give out different pools based on the primary IP address of the gateway for a particular VLAN. At that point all you have to worry about are keeping the pools "fed".

Re:DHCP Relaying (5, Informative)

cr0nj0b (20813) | more than 4 years ago | (#28367009)

Or two dhcp servers. Just in case the path to the first dhcp server is unavailable

http://www.madboa.com/geek/dhcp-failover/ [madboa.com]

Re:DHCP Relaying (5, Informative)

Anonymous Coward | more than 4 years ago | (#28366893)

DHCP Relay Agent in Cisco Routers

Cisco Routers support DHCP Relay Agents with ip helper-address command. To enable the ip helper-address on an interface that will receive client BOOTP/DHCP broadcasts.

From the Global configuration mode,

Router(config)# interface fa 0/0

Router(config-if)# ip helper-addres

Router(config-if)# ip helper-addres

Re:DHCP Relaying (2, Interesting)

ET Admin (1579083) | more than 4 years ago | (#28368989)

I am definitely leaning this way. I currently have 2 hosts on the new network, and I just set them up as DHCP pools on the cisco gear to get them up and running, which got me looking at the capabilities of the Cisco gear. DHCP databases served via TFTP to all the field routers (3550's serving DHCP) was the other option I was looking at, but using ip helper to point to a central linux box sure seems easier. One of my main goals in this design is to limit broadcasts outside of each subnet, and ip helper obviously punches a hole in that philosophy. I can, and I will limit the protocols that ip helper transfers. I am thrilled to be getting all these suggestions and other ideas. Thanks

Re:DHCP Relaying (3, Informative)

Curien (267780) | more than 4 years ago | (#28369409)

One of my main goals in this design is to limit broadcasts outside of each subnet, and ip helper obviously punches a hole in that philosophy.

ip helper doesn't forward as broadcasts. When the router on the host's segment detects the broadcast DHCP request, it forwards it directly to the next hop (just like any router does with a non-broadcast packet).

Re:DHCP Relaying (0)

Anonymous Coward | more than 4 years ago | (#28379229)

Correct. And with the version 3 or more, you can even put two dhcpd servers (http://en.wikipedia.org/wiki/Dhcpd) in an active-active redondant mode.

So putting this in your Cisco router
ip helper-addres
ip helper-addres

Will work very well. The first dhcpd server to answer and to give the IP address will send it to the other one.

Re:DHCP Relaying (1)

Moxon (139555) | more than 4 years ago | (#28374155)

We're using ip helper forwarding to two ISC dhcp3 servers (on linux) with a load balance / failover setup. Works just dandy for a few thousand users and 200+ subnets.

Separate pools and subnets per vlan and all that stuff, of course. I'm sure there are howtos on the web..

Re:DHCP Relaying (1)

oatworm (969674) | more than 4 years ago | (#28366911)

That's what I'm thinking, too. Also, make sure conflict detection is turned on. Serving DHCP isn't particularly processor-intensive, so I doubt it'll matter much if you're hosting it from your *NIX boxes or from your Cisco equipment.

Re:DHCP Relaying (2, Informative)

Curien (267780) | more than 4 years ago | (#28367319)

This is definitely the way to go. If for some reason you cannot do this (as was once the case for me*), you can set up a PC on the network segment to act as a DHCP relay (the ISC DHCP distribution comes with a relay agent). On a network where we had more control, we set up a tunnel between the routers to forward the DHCP packets.

* The network involved military encryption devices which could not be configured to forward broadcast packets. I put together a Linux system that booted from a floppy, used arping to figure out the IP address of the router (to determine which network segment it was on), read a config file from the floppy that contained the segment-specific settings, and started the dhcrelay process. Since the system ran entirely from a ramdisk, the security office allowed us to leave it on even when the area was secured.

I have the solution you need... (3, Informative)

poptix_work (79063) | more than 4 years ago | (#28366843)

http://lmgtfy.com/?q=cisco+dhcp+relay&l=1 [lmgtfy.com]

You can easily run hundreds of thousands of hosts off a single DHCP server. It is not cpu intensive particularly if you have a decent lease duration.

Re:I have the solution you need... (2, Interesting)

rmadmin (532701) | more than 4 years ago | (#28366881)

I concur.. I have over 2000 hosts covered with my DHCP server, 24 hour lease, the server never breaks 0.00 loads. We also use DHCP-Relay in about 5 places across the network. Its tasty :)

Re:I have the solution you need... (1)

Sabalon (1684) | more than 4 years ago | (#28368185)

We have about 1400 regular hosts and a large migrant (student notebook) population. ie. more hosts than IPs so we have a much shorty lease time (30 minutes I think) and dhcp relay. The machine is bored to tears. Not sure of the 100-500 hosts line in the post.

Re:I have the solution you need... (1)

cerberusss (660701) | more than 4 years ago | (#28371323)

I'll do better than that. ~10 years ago I visited the racks of a major cable internet provider in the Netherlands. There stood a lonely old Pentium 3 tower, in fading brown/beige colors, between the fancy rackmounted Cisco equipment, providing DHCP for a ~750,000 resident area in which that provider was basically the monopoly for cable internet.

True story.

Re:I have the solution you need... (1)

mr_mischief (456295) | more than 4 years ago | (#28376287)

That probably worked just fine, too.

Constrast that to the horror story I found at an ISP. I was the manager of the technical staff (servers and network) at a medium-sized ISP that went through a rash of acquisitions before being acquired itself. One ISP we bought had a Pentium 133 in an AT desktop case with 256 megabytes of RAM. It ran NT 4, and it did pretty much everything but offer the network ports. It was serving primary and secondary RADIUS for auth and logging. It did primary and secondary DNS, both authoritative for the domains and caching for the customers. I used IMail for all mail (MX, outbound SMTP, POP3, and mail storage). It also hosted the ISP's web site. There were about 3,000 customers on that little hunk of junk. Once we migrated them over to our systems, we actually had calls thanking us for speeding up authentication. It was that noticeable.

Re:I have the solution you need... (5, Informative)

poptix_work (79063) | more than 4 years ago | (#28366925)

Also, here's a small sample config for serving a particular pool on a particular interface (which would be the vlan "interface" on the Cisco), easily found on Google:

class "vlan1234"
                match if
                                (binary-to-ascii(16, 8, ".", option agent.remote-id) = "0.15.63.ab.52.16") # This is the MAC of the switch
                                (binary-to-ascii (10,8, ".", option agent.circuit-id) = "") # This is the interface number

pool {
                max-lease-time 300;

                option subnet-mask;
                option routers;
                allow members of "vlan1234";

Re:I have the solution you need... (2, Insightful)

calmofthestorm (1344385) | more than 4 years ago | (#28367189)

It's interesting because lmgtfy is as much about knowing waht to google as to google it. Oftne if I ask a dumb quesiton, all I need are google keywords.

phpdhcpadmin (3, Informative)

Anonymous Coward | more than 4 years ago | (#28366855)

Someone in house here created it, and we use it across multiple vlans from a Gentoo box. It uses the ISC DHCPD server.


Re:phpdhcpadmin (1)

ET Admin (1579083) | more than 4 years ago | (#28368895)

Thanks for the tip. We currently use the ISC DHCPd on a Centos VM and this will allow me to start with our current conf files.

Go IPV6 and leave DHCP in the dust (1, Interesting)

goffster (1104287) | more than 4 years ago | (#28366885)

DHCP not used in IPV6 protocol

Re:Go IPV6 and leave DHCP in the dust (4, Informative)

Imagix (695350) | more than 4 years ago | (#28367091)

Ahem... never heard of RFC 3315? DHCPv6 still has a place in an IPv6 network.

Re:Go IPV6 and leave DHCP in the dust (1)

quazee (816569) | more than 4 years ago | (#28367519)

Even if you go IPv6, you still need to provide at least a NAT-ed IPv4 address or a transparent HTTP/DNS proxy.
And the 'transparent proxy' solution will break everything except HTTP, most notably, HTTPS.
You can communicate with IPv6 hosts from an IPv4 address (via 6to4 encapsulation).
But you cannot communicate with IPv4-only hosts using an IPv6 address without a proxy.

Re:Go IPV6 and leave DHCP in the dust (2, Insightful)

miscellaneous (14183) | more than 4 years ago | (#28368457)

Yeah, because as a wireless ISP you can totally require your clients to support IPv6. Wait, no, that's not right.

dhcp relay (0)

Anonymous Coward | more than 4 years ago | (#28366891)

If you want a dhcp server on multiple vlans, you can probably utilize dhcp relay to forward the client dhcp request to the server. So, you don't necessarily need a server on each vlan. Also, with dhcp option 82 information, you can serve addressed based on the vlan, switch or even switch port from where the request originates.

See the following for more information: CISCO option 82

Use the Unix/Linux boxes.... (5, Interesting)

Fallen Kell (165468) | more than 4 years ago | (#28366915)

Seriously, do not use the Cisco gear to handle the DHCP. There are several ways to handle this, either have a system with an interface on all the networks, or setup your Cisco gear to forward the HDCP requests to the one subnet that does have your system.

With using Unix/Linux you can setup failover servers so that if one does not respond, the other will take over the requests and that way you will not lose DHCP across your entire network due to hardware/software issues on a single system. Go read up on dhcpd, it is not too difficult to understand, and is really probably your best low cost solution.

lmgtfy.com (0, Offtopic)

AnEducatedNegro (1372687) | more than 4 years ago | (#28367119)

i really wish we could close these stories out after an insightful post like yours. mod parent up. don't use cisco, dhcpd is freaking trivial. done and done. next


Re:Use the Unix/Linux boxes.... (1)

morgan_greywolf (835522) | more than 4 years ago | (#28368377)

Agreed. ISC dhcpd is so trivial to setup, and places hardly any load on the system at all, that I don't use why you wouldn't use it in that case. I've personally ran dhcpd servers serving 1,000 nodes or more without a lick of trouble running on old PCs that were just lying around. We had a couple of failover servers on each VLAN and ultimately we never had any DHCP downtime, ever. Well, actually we did once, but that's because the POS Cisco switch the DHCP servers were plugged into totally failed for reasons we were never able to ascertain, other than the fact the hardware simply didn't work anymore. :)

dhcp on different vlans (0)

Anonymous Coward | more than 4 years ago | (#28366963)

If its cisco equipment- yes, you should be able to maintain different vlans and serve dhcp independently inside each vlan.

You need Cisco gear (3, Interesting)

Anonymous Coward | more than 4 years ago | (#28367021)

You need to use DHCP snooping to block rogue DHCP servers and block packets with forged MAC addresses on untrusted interfaces

You need IP source guard to block forced IP addresses on untrusted interfaces

Otherwise, you are at risk of DOS and/or compromise from malicious users, and at risk of instability and insanity caused by users who plug a rogue DHCP server (even something as simple as the LAN side of a Linksys gateway) into your gear.

Re:You need Cisco gear (1, Interesting)

Anonymous Coward | more than 4 years ago | (#28367103)

You can do this with Procurve too... and Enterasys.

Don't be a crony ;)

Re:You need Cisco gear (1)

solevita (967690) | more than 4 years ago | (#28367485)

HP Procurve equipment supports both DHCP helper addresses and DHCP snooping. So yes, you need to do it properly, but you can do it properly (and with a free lifetime warranty) without Cisco.

Re:You need Cisco gear (1)

Bigjeff5 (1143585) | more than 4 years ago | (#28369237)

Why the hell should he buy new equipment? He's already got Cisco, and Cisco does it.

Man, do you normally buy new gear that does exactly what your current gear does, just because the new gear has a cheaper price tag on it? What a complete waste of money.

You sound like a project manager for my company, only they usually go from less expensive perfectly capable current equipment to more expensive less capable new equipment.
PM: "We need "
Engineer: "Why?"
PM: "Because, it does X, Y, and Z, and we need that!"
E: "But already does X, Y, and Z, as well as G, E, and F. We wouldn't be operating without that."
PM: "We need it anyway, do it."

Re:You need Cisco gear (1)

Bigjeff5 (1143585) | more than 4 years ago | (#28369259)

Damn my lack of previewing!!

The missing information is, from top to bottom:
"new expensive product A"
"older currently installed less expensive but more functional product B"

Kudos if you find where the second goes, it might not be blatantly obvious at first. ;)

Re:You need Cisco gear (0)

Anonymous Coward | more than 4 years ago | (#28374713)

I think you missed the point..... The parent said "You need Cisco Gear", the replies were "no you don't"...

Re:You need Cisco gear (0)

Anonymous Coward | more than 4 years ago | (#28371789)

Geez, what a fucking jackass you are. The GP made the claim in the subject of the post that "You need Cisco gear" which sounded more like a much more general claim about exclusivity of features, than addressing the original questioner's current equipment. So somebody just pointed out that these features to prevent DHCP DoSing are not exclusive to Cisco equipment.

Also, on another note, have you considered the PM might be getting kickbacks from someone in the supply chain of the new equipment. I can tell you if I had to put up with people like you working for me, it wouldn't make the decision to not indulge in such graft easier.

Re:You need Cisco gear (3, Insightful)

mysidia (191772) | more than 4 years ago | (#28367507)

That's not an absolute. You should use VLAN segmentation (and possibly private VLANs) to separate untrusted networks.

That way if there is a rogue DHCP server, its effects are isolated to the untrusted LAN it came from.

The L2 filtering features you are thinking of are actually inadequate to stop a sophisticated attacker, because those features can be defeated, or don't address all possible Layer 2 spoofing and traffic hijacking tricks.

Re:You need Cisco gear (1)

ET Admin (1579083) | more than 4 years ago | (#28368749)

Thanks for the tip. We require our customers to have their own routers, and so far our wireless devices have protected us from this. But I did learn the hard way that VMWare Server enables DHCP by default when initially installed.

Nice answer Slashdotters. (5, Insightful)

bluephone (200451) | more than 4 years ago | (#28367171)

To everyone who tagged this "domyjobforme", I hope every single one of you gets the same response the next time you ask for help doing you job. At least this guy had the sense to say, "Hey, there's a community of people that contains a multitude of experts in many fields, I bet someone might have some good suggestions." And guess what else? Maybe some readers will find the suggestions helpful too. Ask Slashdot is for questions that the general community might find interesting and helpful, not just one guy. It's not just about the submitter, and it's certainly not about your need to be snide to those who recognize their shortcomings and try to expand their base of knowledge.

Re:Nice answer Slashdotters. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28367305)

ahhhh go fuck yourself. if you fucking microsoft shills knew anything about the industry it would amaze me. you get your fucking mcse and get a job but don't have the skills. i fucking hate you idiots.

Re:Nice answer Slashdotters. (-1, Troll)

Packet Pusher (231564) | more than 4 years ago | (#28367357)

I'm sorry but some people are idiots and they shouldn't be working the job they have. If you can't find someone to hire who knows how to setup DHCP you are a cheap bastard. Hire a competent person and stop asking other people to tell you how to do your own job. I see a lot of this in the US right now and I'm non too happy to have to do other peoples jobs for them when I'm getting paid for it let alone when I'm not.

Re:Nice answer Slashdotters. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#28367523)

You sound like the idiot, for not realizing that people get stuck with jobs all the time for which they have not been fully trained. For myself, I'm an engineer who was asked to 'setup your own lab'. I'm not an IT type, I'm an electrical engineer specializing in circuit design. Yet, I've been handed the job of configuring 40 linux servers, DNS, DHCP, Cisco switches, multiple VLANs, and so forth simply because 'there's no one else to do it and no one is hiring anyone'. Sure, my company might be cheap for not providing IT services for my lab, but they're on a budget and extra employees are expensive. Only when the expense of having me configure my own DHCP services exceeds the expense of hiring someone to do it for me will they consider hiring someone external. And only then if they know the new hire will be used elsewhere.

So guess what? This guy's question is exactly the kind of information I can use to help me overcome my own problems. Ask Slashdot seems to be doing its job quite nicely in this respect.

Re:Nice answer Slashdotters. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28368015)

" I'm an electrical engineer specializing in circuit design. Sure, my company might be cheap for not providing IT services for my lab, but they're on a budget and extra employees are expensive. Only when the expense of having me configure my own DHCP services exceeds the expense of hiring someone to do it for me will they consider hiring someone external."

So, how is it that having an electrical engineer working out his core competencies that most probably are central to his bussiness area cheaper than hiring somebody that will do it faster and better or, at least, won't be but a lower grade?

"Surely my company might be cheap" you say... I say "surely, your company seems to be seriously mismanaged".

Re:Nice answer Slashdotters. (0)

Anonymous Coward | more than 4 years ago | (#28368243)

Anyone care to let this guy know the real state of the world? How many of us have been tasked with jobs we weren't hired for due to time and budget pressures? How many managers out there find they have the financial freedom to hire anyone they want, whenever they find a need?

Re:Nice answer Slashdotters. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#28368439)

Actually it's not a fucking linux/unix or DHCP forum. The tools that you need are available but THIS AIN'T NEWS FOR NERDS? FUCKING A! This is the easiest fucking thing in the world to do if you can read a FUCKING MAN PAGE!

Failsauce. Was: Re:Nice answer Slashdotters. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28370493)

It still is getting quite tiring to see /. questions mistaking this for a general helpdesk. It's not newsworthy. It's not pushing any limits. All the information is freely available. There's newsgroups and discussion groups all over about this. Spend a day or two reading those archives and you have a wide range of views including at least a few opinions from dyed in the wool real experts with decades of experience.

AIUI, /. is about new stuff. Not about the boring old stuff you can find very well elsewhere, TYVM. Increasingly it's being abused as a substitute for RingTFM. That is bad.

How would you react if you saw the Nth question about basic circuit design, like, oh, ``what's the best way to start using gate logic?'' -- Many readers may be not primarily IT people but that still doesn't mean we have to dull the cutting news edge here.

Re:Nice answer Slashdotters. (0)

Anonymous Coward | more than 4 years ago | (#28376463)

Sorry late, I don't really have time for this, because I own a small business, where I spend many many hours, most of which I don't get paid for. Among the many things I don't get paid for is answering questions for free from people who work at companies with piles of money.

Oh yes, you think you are having hard times.

OK, the next time you scorn someone you don't know because he doesn't want to answer your question for free, consider the possibility that he has it 10 times harder than you, so what you are really asking is to take from the poor to give to the rich.

Re:Nice answer Slashdotters. (1)

pfleming (683342) | more than 4 years ago | (#28380567)

Wow. If you don't really have time to answer the question (even if you have the expertise) why the hell are you spending time on /. posting about how you have no time?

Re:Nice answer Slashdotters. (0)

evanism (600676) | more than 4 years ago | (#28367893)

So I guess I wouldn't be hiring you then? As a multi-time CTO I know your type: vapid, vain and egotistical. Mate, change your attitude, as you'll be the first out the door when the boss needs to draw up "the list".

Re:Nice answer Slashdotters. (0)

Anonymous Coward | more than 4 years ago | (#28367371)

First of all - read the previous comments. They have, quite effectively, eloquently and concicely answered the question posed.

Second and perhaps most pertinently - This is a community of people who have just helped some random stranger set up a system that will generate some random company money. Free advice that works, and the only cost is a little cynicism. Is that pill really so bitter?

Recognition of your own shortcomings is also a lot different than asking a question that you should be able to answer yourself if you are employed to do so. ... we all seem to manage it... and by "we", I mean everyone who has a qualification thats worth a damn or even an interest in the subject matter deep enough to be self-educated to the same level.

Re:Nice answer Slashdotters. (1)

spiffydudex (1458363) | more than 4 years ago | (#28367625)

Well said. The comments posted above are very helpful. I myself have been learning cisco equipment and find the replies very interesting. Remember everyone has to start at the bottom. Just because you know more don't be a pompus ass, help the guy learn.

Re:Nice answer Slashdotters. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#28367665)

Shut the fuck up. The question was answered. That's all that's important. Fucking bitch.

Re:Nice answer Slashdotters. (1)

fluffy99 (870997) | more than 4 years ago | (#28370633)

I've got no problem with the guy trying to get up to speed. I have respect for someone who admits a shortcoming and works at fixing it. Slashdot is hardly a great place to do it though. He should go to his boss and admit that he's in over his head and needs to either get some training/credentials or get a decent consult with an expert. The money or resources spent on the education or quality advice wil pay off down the road when they avoid a major security incident.

Re:Nice answer Slashdotters. (1)

ET Admin (1579083) | more than 4 years ago | (#28372993)

We do have a paid consultant working with me on this. He is doing his job, of teaching me, very well. When I asked him this question, his response was, "personal preference". And so it is that preference that I am searching for.

I'll echo everybody else.... (1)

sysgeek01 (866290) | more than 4 years ago | (#28367345)

Don't use your cisco gear to manage dhcp. It's better utilized doing it's primary function of routing and switching. Set up a Linux box to do dhcp. Setup multiple subnets and use the "ip helper-address" command on the interfaces of your Cisco router's to forward the dhcp requests to your Linux dhcp server. It's simple to do. Once upon a time I setup a 5000k node network doing that very same thing.

VMs on win2k3 machines (0)

Anonymous Coward | more than 4 years ago | (#28367365)

While we are here... I really hope you are not using something like "vmware server" - you know ESXi is free now, right, and will give you a lot more performance for your VMs than vmware server, which isn't really meant for production use...

Re:VMs on win2k3 machines (2, Interesting)

mysidia (191772) | more than 4 years ago | (#28367605)

Hey, wait, VMware server's still an option for production servers. Several years ago, it was a commercial product called VMware GSX server.

"Small wireless ISP" doesn't exactly strike me as the type of user, who would be deploying an Oracle RAC cluster with a load of 10k transactions per second, and an Exchange 2007 server with 5000 mailboxes, processing 10 messages per second.

GSX was the version for production servers in a small environment. ESX was the high-end uber-expensive version for running massive numbers of servers on a dedicated host in a large environment.

Server hardware in common use has gotten a lot better, much more powerful, since then. And VMware Server is no worse than GSX.

If your workload is suitable for that type of virtualization, GSX should be okay.

Yeah, ESX is a lot better, can handle many more VMs, and can virtualize many high-end workloads effectively that weren't even VM-suitable under GSX/VMware server.

ESXi is less mature, and probably not as suitable as ESX.

Re:VMs on win2k3 machines (0)

Anonymous Coward | more than 4 years ago | (#28368083)

ESXi is less mature, and probably not as suitable as ESX.

Ummm, no. ESXi is the same code as the flagship ESX. They just removed some of the high-end features, and give ESXi away for free (as in beer).

ESXi is far more robust, solid, stable and faster than VMware server/VMware GSX.

Re:VMs on win2k3 machines (0)

Anonymous Coward | more than 4 years ago | (#28368153)

I will disagree with your views on ESXi. My company uses ESX3.x for about 140 vms. We are currently looking at ESX4 w/1000V switches.
ESXi is a great platform if you dont need some of the cool "Enterprise" features or want to drop some boxes out in a DMZ.

Re:VMs on win2k3 machines (0)

Anonymous Coward | more than 4 years ago | (#28368701)

For whatever it's worth, my company's got roughly 4,000 VMs running under VMware Server on Server 2003 and are aiming to ultimately peak at 15,000 or so. VMware is the most solid part of the entire solution. There has been nothing we could point at and say it was a problem in VMware (unlike Server 2003.)

Of course, that's only 2 VMs per box, distributed across many branch offices.

We're always looking at ESXi but there are things it doesn't do that we need (such as support actually using the hardware in the box like sound, VGA, keyboard and mouse.) You have to use a remote client to get a Windows GUI up and that just isn't suitable for us.

Re:VMs on win2k3 machines (1)

Techman83 (949264) | more than 4 years ago | (#28368765)

ESXi might be less mature, but it's free! Works pretty flawlessly and it's so damn similar to ESX it's not funny. Major differences are you can't tie a VM to a serial port and no real *nix console (there is a console, but it's f'ing limited) all CLI stuff is replaced with the Remote CLI, which I hear is pretty powerful, but I've not had the need to use it yet.

Re:VMs on win2k3 machines (1)

mysidia (191772) | more than 4 years ago | (#28382649)

My opinion of ESXi is it's great, but you really need VMotion with it, because (among other things) ESXi seems more prone to instability of the management interface, mainly because it has fewer allocated resources.

Well, i've seen the ESXi "thin management interface" running out of memory, such that the VI client could barely connect, and such, it's not fun, and requires a reboot of the machine, since there's no proper console to SSH in on. I've had unique instability issues with ESXi. And also been hit by PSOD (Pink Screens of Death) in ESXi, but not when testing ESX.

ESXi doesn't provide a support remote management solution other than the graphical VI client. I realize there's a hack that lets you get access to a busybox shell, but VMware may close this at any time, in a later critical fix, i.e. it's not something to rely upon.

You can't really buy support from VMware and use it, they'll blame your problems on you using an unsupported hack.

The remote management API and the Remote CLI's access is restricted to read-only operations, unless you buy at least a Foundation level license.

i.e. It's free to use the remote CLI in read-only mode, but as soon as you want to do something like clone a VMDK file, or power on a VM, the free version doesn't allow it.

The secret is VMware accidentally "enabled full write access" in ESXi 3.5 Update 3. (But they realized their mistake and made it read-only again, re-imposed the restrictions in the next version)

There are some other bugs in update 3, mainly security bugs, and issues that effect iSCSI and SAN users.

But if you utilize direct attached storage, and only run trusted code in your VMs, installing the old version of ESXi and using 3.5 may be an option, for having at least some minimal amount of proper remote management and scriptability.

Re:VMs on win2k3 machines (1)

Techman83 (949264) | more than 4 years ago | (#28383735)

Thanks, I hadn't run into a lot of those. Good to know! Great for a home dev environment though. Before I moved house, my box had been running Nearly a year straight. Uptime not so great at the moment, long power failure and I've done a few upgrades!

WISP via radius and Mikrotik routers. (0)

Anonymous Coward | more than 4 years ago | (#28367381)

We have deployed an aradial radius server and mikrotik router boxes at each wireless sites. PPPOE is our authentication method, this allows a single bandwith limiting on/off point at the radius server. DHCP is done at each mikrotik router and hands out local IP's. no pppoe setup means the customer will get pointed direct to our login page. This means we run a NAT at each tower.

For people using VPN we run 1-1 NAT with a static IP at the customer site, thier wireless endpoint in bridge mode.

seriously, look into mikrotik/aradial Based WISP gear. I don't know how i lived without it before. granted we transitioned from having all our wireless endpoints configured via static IP rather than dhcp.

why against running it on the cisco gear? (0)

Anonymous Coward | more than 4 years ago | (#28367621)

why is everyone against letting the cisco gear handle the DHCP?

Re:why against running it on the cisco gear? (1)

Foxxxy (217437) | more than 4 years ago | (#28368721)

for 100-500 leases, i would set it up on the cisco boxes.... also ensures the zero cost approach which always makes management happy.

Re:why against running it on the cisco gear? (1)

vitroth (554381) | more than 4 years ago | (#28369147)

Issues I can think of offhand:
  • Lack of redundancy. With two redundant routers you can't trivially share the same DHCP range across both without problems. ISC dhcpd has a failover protocol where two redundant servers communicate with each other when they assign a lease.
  • Too simplistic. You don't get as much control over the options and setting you can assign via DHCP with the Cisco router dhcp implementation. For example I don't know of a way to do vendor space DHCP options. If you're dealing with a trivial config thats no big deal.
  • Logging, control, state. You can't get much information out of the router easily in terms of what requests its seeing and responding too. And to make things worse all the DHCP client state is stored entirely in memory, if the router reboots it will forget all the leases it already assigned, and may try to re-assign those same addresses to new clients.

There are more, depending on the exact setup you're deploying and the level of complexity. (DHCP Option 82 for example)

Re:why against running it on the cisco gear? (1)

ET Admin (1579083) | more than 4 years ago | (#28373043)

Logging is the main reason I like our current dhcpd setup. I tried the dhcp debugs on the cisco gear and didnt get much.

Some VLAN's globally??? (1, Informative)

cdogg4ya (198266) | more than 4 years ago | (#28368155)

I don't know enough about your environment but hopefully you know that that isn't a possibility across Layer 3 devices (and when I say VLAN's, I assume that you are talking about an IP segment and not just a VLAN number). That said the "ip dhcp helper" or DHCP relay I think is what you are looking for. This way you can have 1 DHCP server serving numerous VLAN's or L3 IP segments. If you have more specific questions feel free to reach out to me.

Carl Fugate
BLOG: www.iprouteradmin.com
Router Lab: www.onlinerouterlab.com

Re:Some VLAN's globally??? (1)

ET Admin (1579083) | more than 4 years ago | (#28368847)

Our 3550s are conf'd to "ip route" and most of our nat'ed, private ip, customers will be on these layer 3 Vlans which are seperated by location (per tower). But we offer a public IP for customers, who can be anywhere on our network, and their traffic will be on a separate layer 2 Vlan that is configured globally through our network. The key to this, is that we are injecting the 802.11q tag at each customers wireless subscriber module, and that tag defines which vlan they are on.

Re:Some VLAN's globally??? (2, Funny)

fluffy99 (870997) | more than 4 years ago | (#28370577)

I get the strong impression you might be in way over your head with less than 3 years experience. You're asking about implement technologies which you don't fully understand yet. The risk here is that you might get a solution that works, but it will be horribly insecure.

VLANS are layer 2. Subnetting is at the layer three level and normally coincidence with the layer 2 vlans you create (but not always). While you can have vlans spread across large regions, you defeat most of the benefits of using a vlan such as limiting broadcast domains and introduce some latency and timing issues. Cisco will tell you to keep the number of hops as small as possible. Adding 250 ms rtt between peers is an issue. Cisco has also had issues where vlans were not hard boundaries and you could get traffic to jump vlan boundaries by faking the 802.11q tags.

I think I understand what your trying to accomplish - a public IP that can move around a larger region and between wireless towers at will. I think a far better solution is along the lines of a secure VPN. That avoids a whole slew of security and performance issues associated with vlans and wireless. What's stopping a malicious person from coming up with a wireless subscriber module (what exactly is that, btw?) that adds whatever vlan tag they want and getting access to any subnet at will?

I also recommend using dhcp-helper and a handful of linux dhcp servers. That puts all the configuration in a central linux box and you don't have to muck with all the switches and routers for every little change.

Re:Some VLAN's globally??? (1)

ET Admin (1579083) | more than 4 years ago | (#28373091)

We have a paid consultant guiding me through this (20 yrs exp). Just on this point his response was "personal preference". He is running similar set ups in much larger environments such as our local hospital where he has hundreds of vlans setup.

Re:Some VLAN's globally??? (0)

Anonymous Coward | more than 4 years ago | (#28379763)

If you want an IP to roam (across towers unless you have a strictly layer 2 network all the way to the tower) the answer is Mobile IP although that is going to cost you much more than the cost of a DHCP server to implement.

Re:Some VLAN's globally??? (1)

donkeyoverlord (688535) | more than 4 years ago | (#28368879)

A VLAN is a layer 2 technology and can span across multiple switches. In Cisco IOS you can create a layer 3 interface to a VLAN.

IPAM Software-Open Source (0)

Anonymous Coward | more than 4 years ago | (#28368295)

Utah State University has developed an open-source IP address management software that can tie in DNS and DHCP from different servers and databases. Front-end is a GUI interface where it's easy to setup and register hosts or DHCP network allocations. Contact their I.T. Department.

IPAM Software- Open Source (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#28368355)

Utah State University has developed an open-source IP address management software. It handles multiple backend DNS and DHCP server/databases.. Front-end is a GUI where you can register hosts and setup DHCP network allocations. Contact their IT Department.

IPAM Software- Open Source (-1, Redundant)

Anonymous Coward | more than 4 years ago | (#28368445)

Utah State University has developed an open-source IP address management software. It handles multiple backend DNS and DHCP server/databases.. Front-end is a GUI where you can register hosts and setup DHCP network allocations. Contact their IT Department.

Just use your existing gear (1)

acoustix (123925) | more than 4 years ago | (#28368467)

Using one or two of your Win2003 boxes, create multiple DHCP scopes for your multiple networks/subnets. Then just use the "ip helper-address" on your cisco gear to allow the DHCP requests to make it to your servers. Done. I do this at my company with 50+ VLANs.

Cost = $0.

CNR (1)

bugs2squash (1132591) | more than 4 years ago | (#28368503)

Cisco make (or at least did make some time ago) a DHCP server (Cisco Network Registrar) based on Windows that does handle option 82. So you do not have to run DHCP on IOS, you can relay back to a central server. I have even been able to "script" CNR by sending command line commands to administer scopes (yes, thank god it has a command line). But in all honesty, it's far easier to automate the configuration of a standard linux or *BSD dhcpd.

Re:CNR (0)

Anonymous Coward | more than 4 years ago | (#28369663)

CNR is one of the worst pieces of software on the face of the earth. Run away from it. Microwave any discs that contain it.

Support? (1)

gslavik (1015381) | more than 4 years ago | (#28368741)

I have to ask, who will be monitoring and supporting this architecture?

Re:Support? (1)

ET Admin (1579083) | more than 4 years ago | (#28368865)

Me! I have only been in this line of work for three years, and I have been sitting at the helm of someone else's network design for that period. Hence my thirst for knowledge.

Re:Support? (1)

gslavik (1015381) | more than 4 years ago | (#28368941)

I meant 24/7 type monitoring ... ie: some system bites the dust, etc.

Re:Support? (0)

Anonymous Coward | more than 4 years ago | (#28369657)

Him obviously. If he's only been in for three years, then he's the PFY to someone else's BOFH.

What does that mean? They don't let him out of the office and just feed him a diet of Cheetos and Jolt Cola, only allowing him to move to a 16 hour shift 6 days a week once the need for kidney dialysis and insulin kicks in. :D

Re:Support? (1)

ET Admin (1579083) | more than 4 years ago | (#28373171)

We have spare pieces in house. I have all configs backed up. I can paste a config and plug it in easily. Our servers also offer some redundancy. We have 2-2003 server boxes running the VMs. The 2003 boxes are (going to be) fully isolated with only the VMs exposed, and providing the network services. We monitor everything with Cacti (SNMP) and a local college student is developing some nice plugins to map all of our hosts by gps coords (look at the Cacti forums if this interests you).

Carnegie Mellon's NetReg (3, Informative)

vitroth (554381) | more than 4 years ago | (#28369091)

Carnegie Mellon's NetReg [cmu.edu] is an open source system that provides a pretty complete IP Address Management toolset, including management of DNS & DHCP configurations for ISC bind/dhcpd. It can manage ISC dhcpd's failover configuration, and multiple server groups, etc.

Rather then just repeating what I've said before when the subject of IP Address Management came up on slashdot, I'll just link to it [slashdot.org].

Note: While the project has been pretty quiet for quite some time now, thats mostly because its the system is very stable and there hasn't been a lot of major new development in the last couple of years. I used to be one of the core developers of the system before I moved on to another job, but its still in active use by many sites.

pfSense (0)

Anonymous Coward | more than 4 years ago | (#28369199)

I use a pfSense to serve DHCP on my home network, consisting of 6 VLANs (only 2 or 3 of which has DHCP enabled)... pfSense supports failover (not sure if it's using dhcpd3's failover or not).

Having looked into Windows, do *not* consider it... their "failover" approach requires either shared disks (SAN or iSCSI), or overlapping ranges (server1 gives .1-.127, server2 gives .128-.254... either will renew for the other so it "works").

Cluster DHCP with OpenBSD... Very easy and free! (0)

Anonymous Coward | more than 4 years ago | (#28372629)

Save all the wasted money on commercial products and use OpenBSD more. FOSS is your friend.

See the -y and -Y sections of the dhcpd man page for more information:
and also the 'SYNCHRONISATION' section below that.

We've done similar and works flawlessly, saving lots of money!

We also use a lot of the other OpenBSD goodies, OpenBGP, OpenNTP, OpenOSPF, OpenSMTP, spamd, CARP, PFSync, PF, Clustered IPSec, etc.

debian config for vlan dhcp (0)

Anonymous Coward | more than 4 years ago | (#28373563)

Plug a linux box into a trunk port and configure it for vlans as described below. Works great.

cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
mtu 1496

auto vlan101
iface vlan101 inet static
mtu 1496
vlan_raw_device eth0

auto vlan102
iface vlan102 inet static
mtu 1496
vlan_raw_device eth0

auto vlan103
iface vlan103 inet static
mtu 1496
vlan_raw_device eth0

cat /etc/dhcpd.conf
# Sample configuration file for ISC dhcpd for Debian#
# $Id: dhcpd.conf,v 2002/07/10 03:50:33 peloy Exp $

# option definitions common to all supported networks...

option domain-name "mydomain.com";
option domain-name-servers,;
option netbios-name-servers,;
option ntp-servers;

default-lease-time 3600;
max-lease-time 7200;

subnet netmask {
    option routers;

subnet netmask {
    option routers;

subnet netmask {
    option routers;

www.infoblox.com (0)

Anonymous Coward | more than 4 years ago | (#28377149)

Disclaimer: I'm an Infoblox Systems Engineer.

Our company specializes in exactly this area. We provide an appliance (also as a VM on Cisco and Riverbed). We have 35 of the fortune 100, and have been in business for 9 years. We have 150 programmers, 150 'other' people (including me). We provide IP address management, NTP, file access (mostly for VoIP phones), RADIUS, DNS & DHCP.

Check out our website then contact us if you'd like to learn more.

We have ISP's as accounts in addition to government and business.

OpenNetAdmin (1)

hornet136 (1421335) | more than 4 years ago | (#28426389)

I'll throw out my solution.

As many people here have suggested, ISC DHCP server has no trouble with this and can handle many subnets and pool combinations from one or more servers. Then with the combination of ip helper-address on Cisco platforms you can control which server(s) handle the network. Throw DHCP-Failover into the mix and make it redundant.

To manage all this I'd suggest OpenNetAdmin [opennetadmin.com]. It is geared to manage as any IPAM would, your address space. It can also be instructed to manage multiple DHCP servers in whatever combination you need. Then those servers simply extract their specific configuration from the database. It should have no issue scaling to several hundred distributed DHCP servers if needed. It will all however be managed easily via the centralized WEB/CLI interface. Opennetadmin will also keep track of your vlan information as well.

I would personally avoid running DHCP on the cisco devices, but thats just me. :)

Hope that helps. Again, head to http://opennetadmin.com/ [opennetadmin.com] and see if that works for you!

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account