Manufar wannan labarin shine don sauƙaƙe daidaitawar sabis na DHCP don VXLAN BGP EVPN da masana'anta DFA ta amfani da Microsoft Windows Server 2016/2019.
A cikin takaddun hukuma, sabis ɗin DHCP wanda ya dogara da Microsoft Windows Server 2012 don masana'anta an saita shi azaman SuperScope wanda ke ɗauke da tafkin Loopback (mahimmancin wannan tafkin shine keɓance duk adiresoshin IP na tafkin daga tafkin (ban da adireshin IP = Pool)) da wuraren waha don ba da adiresoshin IP don cibiyoyin sadarwa na ainihi (a nan ne abin haskakawa - an tsara manufofin - wanda aka tace ID na relay na DHCP kuma wannan ID na relay na DHCP ya ƙunshi VNI don hanyar sadarwa, watau ga wani tafkin wannan DHCP Relay. ID na kewayawa zai ɗan bambanta).
To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.Wannan labarin ya ƙunshi amsoshi ga tambayoyi masu zuwa:
Abubuwa
-
- ( & )
-
-
Gabatarwar
Wannan ɓangaren a taƙaice ya lissafa duk bayanan farko: Umarnin daidaita kayan aikin cibiyar sadarwa, RFCs da aka yi amfani da su a cikin fakitin DHCP a masana'antun eVPN, juyin halittar saitunan uwar garken DHCP akan Microsoft Windows Server 2012 a cikin takaddun Cisco an tanadar don tunani. Kazalika taƙaitaccen bayani game da Superscope da Policy a cikin sabis na DHCP akan Sabar Windows na Microsoft.
Yadda ake saita DHCP Relay akan VXLAN BGP EVPN, masana'anta DFA
Haɗa DHCP Relay akan masana'anta na VXLAN BGP EVPN ba shine babban jigon wannan labarin ba, saboda yana da sauƙi. Ina ba da hanyoyin haɗi zuwa takaddun bayanai da ɓarna akan saituna akan kayan aikin cibiyar sadarwa.
Misali na kafa DHCP Relay akan Nexus 9000V v9.2(3)
service dhcp
ip dhcp relay
ip dhcp relay information option
ip dhcp relay information option vpn
interface loopback10
vrf member VRF1
ip address 10.120.0.1/32 tag 1234567
interface Vlan12
no shutdown
vrf member VRF1
no ip redirects
ip address 10.120.251.1/24 tag 1234567
no ipv6 redirects
fabric forwarding mode anycast-gateway
ip dhcp relay address 10.0.0.5
ip dhcp relay source-interface loopback10
RFCs waɗanda aka aiwatar a cikin aikin sabis na Relay na DHCP a cikin masana'anta na VXLAN BGP EVPN
RFC#6607: Sub-zabin 151(0x97) - Zaɓin Subnet Mai Mahimmanci
• Sub-option 151(0x97) - Virtual Subnet Selection (Defined in RFC#6607)
Used to convey VRF related information to the DHCP server in an MPLS-VPN and VXLAN EVPN multi-tenant environment.Ana watsa "suna" na VRF wanda abokin ciniki yake.
RFC#5107: Karamin zaɓi na 11(0xb) - Ƙarfafa ID na uwar garke
• Sub-option 11(0xb) - Server ID Override (Defined in RFC#5107.)
The server identifier (server ID) override sub-option allows the DHCP relay agent to specify a new value for the server ID option, which is inserted by the DHCP server in the reply packet. This sub-option allows the DHCP relay agent to act as the actual DHCP server such that the renew requests will come to the relay agent rather than the DHCP server directly. The server ID override sub-option contains the incoming interface IP address, which is the IP address on the relay agent that is accessible from the client. Using this information, the DHCP client sends all renew and release request packets to the relay agent. The relay agent adds all of the appropriate sub-options and then forwards the renew and release request packets to the original DHCP server. For this function, Cisco’s proprietary implementation is sub-option 152(0x98). You can use the ip dhcp relay sub-option type cisco command to manage the function.Ana amfani da zaɓin don tabbatar da cewa abokin ciniki ya aika buƙatun sabunta yarjejeniyar hayar adreshin zuwa adireshin IP da aka yi amfani da shi a wannan zaɓi. (A kan Sisiko VXLAN BGP, EVPN shine adireshin tsoho na abokin ciniki na Anycast.)
RFC#3527: Sub-zabi 5 (0x5) - Zaɓin hanyar haɗi
Sub-option 5(0x5) - Link Selection (Defined in RFC#3527.)
The link selection sub-option provides a mechanism to separate the subnet/link on which the DHCP client resides from the gateway address (giaddr), which can be used to communicate with the relay agent by the DHCP server. The relay agent will set the sub-option to the correct subscriber subnet and the DHCP server will use that value to assign an IP address rather than the giaddr value. The relay agent will set the giaddr to its own IP address so that DHCP messages are able to be forwarded over the network. For this function, Cisco’s proprietary implementation is sub-option 150(0x96). You can use the ip dhcp relay sub-option type ciscocommand to manage the function.Adireshin cibiyar sadarwar da abokin ciniki ke buƙatar adireshin IP.
Juyin Halitta na Cisco game da daidaita DHCP akan Microsoft Windows Server 2012
Na haɗa wannan sashe ne saboda akwai ingantacciyar yanayi a ɓangaren mai siyarwa:
Takardun yana nuna kawai yadda ake saita DHCP Relay akan kayan aikin cibiyar sadarwa.
An yi amfani da wata labarin don saita DHCP akan Windows Server 2012:
Wannan labarin yana nuna cewa kowace hanyar sadarwa/VNI tana buƙatar tarin SuperScope da nata na adiresoshin Loopback:
If multiple DHCP Scopes are required for multiple subnets, you need to create one LoopbackX per subnet/vlan on all LEAFS and create a superscope with a loopbackX range scope and actual client IP subnet scope per vlan.
Ƙara saitunan uwar garken Windows 2012 zuwa takaddun don saita kayan aikin cibiyar sadarwa. Don duk wuraren waha da aka yi amfani da su, ana buƙatar SuperScope ɗaya a kowace cibiyar bayanai kuma wannan SuperScope shine iyakar cibiyar bayanai:
Create Superscope for all scopes you want to use for Option 82-based policies.
Note
The Superscope should combine all scopes and act as the administrative boundary.
An yi bayanin komai a takaice:
Let us assume the switch is using the address from subnet B (it can be the backbone subnet, management subnet, or any customer designated subnet for this purpose) to communicate with the Windows DHCP server. In DFA we have subnets S1, S2, S3, …, Sn for segment s1, s2, s3, …, sn.
To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.
DHCP a cikin Microsoft Windows Server (superscope & manufofin)
Superscope is an administrative feature of a DHCP server that can be used to group multiple scopes as a single administrative entity. Superscope allows a DHCP server to provide leases from more than one scope to clients on a single physical network. Scopes added to a superscope are called member scopes.
Menene SuperScope - aiki ne wanda ke ba ku damar haɗa wuraren tafki na adiresoshin IP da yawa zuwa sashin gudanarwa ɗaya. Don tallata ga masu amfani akan hanyar sadarwa ta jiki ɗaya (a cikin VLAN iri ɗaya) adiresoshin IP daga wuraren waha da yawa. Idan buƙatar ta zo kan wuraren adireshi a matsayin ɓangare na SuperScope, to ana iya ba abokin ciniki adireshin daga wani Wurin da aka haɗa a cikin wannan SuperScope.
The DHCP Server role in Windows Server 2012 introduces a new feature that allows you to create IPv4 policies that specify custom IP address and option assignments for DHCP clients based on a set of conditions.
The policy based assignment (PBA) feature allows you to group DHCP clients by specific attributes based on fields contained in the DHCP client request packet. PBA enables targeted administration and greater control of the configuration parameters delivered to network devices with DHCP.
Manufofin – ba ka damar sanya adiresoshin IP ga masu amfani dangane da nau'in mai amfani ko siga. Injiniyoyin Cisco suna amfani da manufofi a cikin Windows Server 2012 don tacewa ta VNI (Mai gano hanyar sadarwa ta Virtual).
Babban jiki
Wannan sashe ya ƙunshi sakamakon binciken, dalilin da yasa ba a tallafa masa ba, yadda yake aiki (hankali), menene sabo da kuma yadda wannan sabon zai taimake mu.
Me yasa ba a tallafawa Microsoft Windows Server 2000/2003/2008?
Microsoft Windows Server 2008 da sigar baya ba sa aiwatar da zaɓi na 82 kuma ana aika fakitin dawowa ba tare da zaɓi na 82 ba.
- Ana aika buƙatar abokin ciniki zuwa Watsa shirye-shiryen (DHCP Discover).
- Kayan aiki (Nexus) yana aika fakitin zuwa uwar garken DHCP (DHCP Discover + Option 82).
- DHCP Server yana karɓar fakitin, sarrafa shi, aika shi baya, amma ba tare da zaɓi na 82 ba. (Offer DHCP - ba tare da zaɓi 82 ba)
- Kayan aiki (Nexus) yana karɓar fakiti daga uwar garken DHCP. (Bayanin DHCP) Amma baya aika wannan fakitin zuwa ga mai amfani na ƙarshe.
Bayanan Sniffer - akan Windows Server 2008 kuma akan abokin ciniki na DHCPWindows Server 2008 yana karɓar buƙatu daga kayan aikin cibiyar sadarwa. (Zaɓi na 82 yana cikin jerin)
Windows Server 2008 yana aika da martani ga kayan aikin cibiyar sadarwa. (Ba a jera zaɓi na 82 azaman zaɓi a cikin kunshin ba)
Buƙatar abokin ciniki - DHCP Discover yana nan kuma tayin DHCP ya ɓace
Kididdigar kan kayan aikin cibiyar sadarwa:
NEXUS-9000V-SW-1# show ip dhcp relay statistics
----------------------------------------------------------------------
Message Type Rx Tx Drops
----------------------------------------------------------------------
Discover 8 8 0
Offer 8 8 0
Request(*) 0 0 0
Ack 0 0 0
Release(*) 0 0 0
Decline 0 0 0
Inform(*) 0 0 0
Nack 0 0 0
----------------------------------------------------------------------
Total 16 16 0
----------------------------------------------------------------------
DHCP L3 FWD:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
Non DHCP:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
DROP:
DHCP Relay not enabled : 0
Invalid DHCP message type : 0
Interface error : 0
Tx failure towards server : 0
Tx failure towards client : 0
Unknown output interface : 0
Unknown vrf or interface for server : 0
Max hops exceeded : 0
Option 82 validation failed : 0
Packet Malformed : 0
Relay Trusted port not configured : 0
DHCP Request dropped on MCT : 0
* - These counters will show correct value when switch
receives DHCP request packet with destination ip as broadcast
address. If request is unicast it will be HW switched
NEXUS-9000V-SW-1#
Me yasa sanyi yake da wahala a Microsoft Windows Server 2012?
Microsoft Windows Server 2012 har yanzu bai goyi bayan RFC#3527 (Zaɓi 82 Karamin zaɓi na 5 (0x5) - Zaɓin hanyar haɗi)
Amma an riga an aiwatar da aikin Manufofin.
Yadda yake aiki:
- Microsoft Windows Server 2012 yana da babban tafkin (SuperScope) wanda ke da adiresoshin Loopback da wuraren waha don cibiyoyin sadarwa na gaske.
- Zaɓin tafkin don ba da adireshin IP ya faɗi cikin SuperScope, tunda amsa ta fito daga DHCP Relay tare da adireshin Loopback da aka haɗa a cikin SuperScope.
- Yin amfani da Manufa, buƙatar ta zaɓi daga Superscope ɗin memba wanda VNI ke ƙunshe a Zabin 82 Suboption 1 Agent Circuit ID. ("0108000600"+ 24 bits VNI + 24 bits waɗanda ba a san ƙimar su ba a gare ni, amma maharbi yana nuna ƙimar 0 a cikin wannan filin.)
Ta yaya ake sauƙaƙa saitin a cikin Microsoft Windows Server 2016/2019?
Microsoft Windows Server 2016 yana aiwatar da ayyukan RFC#3527. Wato, Windows Server 2016 na iya gane madaidaicin hanyar sadarwa daga Zaɓin 82 Karamin zaɓi na 5 (0x5) - Siffar Zaɓin hanyar haɗi.
Tambayoyi guda uku sun taso nan da nan:
- Za mu iya yi ba tare da Superscope?
- Za mu iya yin ba tare da Policya da kuma maida VNI zuwa hexadecimal form?
- Za mu iya yin ba tare da Ƙimar Maɗaukaki don adiresoshin Tushen DHCP ba?
Q. Za mu iya yi ba tare da Superscope?
A. Ee, ana iya ƙirƙirar iyaka nan da nan a cikin yankin adiresoshin IPv4.
Q. Za mu iya yin ba tare da Policya da kuma maida VNI zuwa hexadecimal form?
A. Ee, zaɓin hanyar sadarwa ya dogara ne akan Zaɓin 82 Suboption 0x5,
Q. Za mu iya yin ba tare da Ƙimar Maɗaukaki don adiresoshin Tushen DHCP ba?
A. A'a ba za mu iya ba. Saboda Microsoft Windows Server 2016/2019 yana da kariya daga buƙatun DHCP na mugunta. Wato, duk buƙatun daga adiresoshin da ba su cikin tafkin uwar garken DHCP ana ɗaukar su da mugunta.
Note
All relay agent IP addresses (GIADDR) must be part of an active DHCP scope IP address range. Any GIADDR outside of the DHCP scope IP address ranges is considered a rogue relay and Windows DHCP Server will not acknowledge DHCP client requests from those relay agents.
A special scope can be created to "authorize" relay agents. Create a scope with the GIADDR (or multiple if the GIADDR's are sequential IP addresses), exclude the GIADDR address(es) from distribution, and then activate the scope. This will authorize the relay agents while preventing the GIADDR addresses from being assigned.Wadancan. Don saita tafkin DHCP don masana'antar VXLAN BGP EVPN akan Microsoft Windows Server 2016/2019, kawai kuna buƙatar:
- Ƙirƙirar tafkin don adiresoshin Relay Source.
- Ƙirƙirar tafkin don cibiyoyin sadarwar abokin ciniki
Abin da ba dole ba (amma ana iya daidaita shi kuma zai yi aiki kuma ba zai tsoma baki tare da aiki ba):
- Ƙirƙiri Siyasa
- Ƙirƙiri SuperScope
Alal misali:Misali na kafa uwar garken DHCP (akwai abokan ciniki na DHCP na gaske guda 2 - abokan ciniki suna da alaƙa da masana'anta na VXLAN)
Misalin kafa tafkin mai amfani:
Misali na kafa tafkin mai amfani (an zaɓi manufofin - don tabbatar da cewa ba a yi amfani da manufofi don daidaitaccen aiki na tafkin):
Misali na daidaita wurin tafki don adiresoshin DHCP Relay Source (yawan adiresoshin don bayarwa gabaɗaya sun yi daidai da keɓancewa daga wurin adireshin):
Kafa sabis na DHCP akan Microsoft Windows Server 2019
Saita wurin tafki don adiresoshin Loopback (tushen) don Relay na DHCP.
Mun ƙirƙiri sabon tafkin (Scope) a cikin sararin IPV4.
Mayen ƙirƙirar tafkin. "Na gaba >"
Sanya sunan tafkin da bayanin tafkin.
Saita kewayon adiresoshin IP don Loopback da abin rufe fuska don tafkin.
Ƙara keɓancewa. Dole ne kewayon keɓancewar ya dace daidai da kewayon tafkin.
Lokacin haya. "Na gaba >"
Tambaya: Shin za ku saita zaɓuɓɓukan DHCP yanzu (DNS, WINS, Ƙofar, Domain) ko za ku yi shi daga baya. Zai yi sauri don amsa a'a, sannan kunna tafkin da hannu. Ko je zuwa ƙarshen ba tare da cika kowane bayani ba kuma kunna tafkin a ƙarshen mayen.
Mun tabbatar da cewa ba a saita zaɓuɓɓuka kuma ba a kunna tafkin ba. "Gama"
Muna kunna tafkin da hannu. - Zaɓi Girma kuma a cikin mahallin menu - zaɓi "Kunna".
Mun ƙirƙiri wurin tafki don masu amfani/sabis.
Muna ƙirƙirar sabon tafkin.
Mayen ƙirƙirar tafkin. "Na gaba >"
Sanya sunan tafkin da bayanin tafkin.
Saita kewayon adiresoshin IP don Loopback da abin rufe fuska don tafkin.
Ƙara keɓancewa. (Babu keɓantacce da ake buƙata ta tsohuwa) "Na gaba>"
Lokacin haya. "Na gaba >"
Tambaya: Shin za ku saita zaɓuɓɓukan DHCP yanzu (DNS, WINS, Ƙofar, Domain) ko za ku yi shi daga baya. Bari mu saita shi yanzu.
Saita tsohuwar adireshin ƙofa.
Muna saita yankin da adiresoshin uwar garken DNS.
Yana daidaita adiresoshin IP na sabar WINS.
Kunna iyaka.
An saita tafkin. "Gama"
ƙarshe
Amfani da Windows Server 2016/2019 yana rage rikitacciyar kafa uwar garken DHCP don masana'anta VXLAN (ko kowane masana'anta). (Ba lallai ba ne don canja wurin hanyoyin haɗi na musamman zuwa ƙwararrun IT: Network/Agent Circuit ID don yin rijistar masu tacewa.)
Shin tsarin saitin Windows Server 2012 zai yi aiki akan sabbin sabar 2016/2019 - eh zai yi aiki.
Wannan takarda ta ƙunshi nassoshi zuwa nau'ikan 2: 7.X da 9.3. Wannan shi ne saboda gaskiyar cewa sigar 7.0 (3) I7 (7) ita ce sakin da aka ba da shawarar Cisco, kuma sigar 9.3 ita ce mafi haɓaka (har ma tana goyan bayan Multicast ta hanyar VXLAN Multisite).
Jerin kafofin
source: www.habr.com