Ushbu maqolaning maqsadi Microsoft Windows Server 2016/2019 yordamida VXLAN BGP EVPN va DFA mato uchun DHCP xizmati konfiguratsiyasini soddalashtirishdir.
Rasmiy hujjatlarda Microsoft Windows Server 2012 asosidagi mato uchun DHCP xizmati Loopback hovuzini o'z ichiga olgan SuperScope sifatida sozlangan (ushbu hovuzning diqqatga sazovor tomoni hovuzning barcha IP manzillarini hovuzdan chiqarib tashlashdir (IP manzili bundan mustasno = hovuz)) va haqiqiy tarmoqlar uchun IP-manzillarni berish uchun hovuzlar (bu erda ta'kidlash - siyosat sozlangan - bu erda DHCP o'rni identifikatori filtrlanadi va bu DHCP o'rni identifikatori tarmoq uchun VNI-ni o'z ichiga oladi, ya'ni boshqa hovuz uchun bu DHCP o'rni. O'chirish identifikatori biroz boshqacha bo'ladi).
To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.Ushbu maqolada quyidagi savollarga javoblar mavjud:
Mundarija
-
- ( & )
-
-
kirish
Ushbu qism barcha dastlabki ma'lumotlarning qisqacha ro'yxatini beradi: Tarmoq uskunalarini sozlash bo'yicha ko'rsatmalar, eVPN zavodlarida DHCP paketlarida ishlatiladigan RFClar, Cisco hujjatlarida Microsoft Windows Server 2012 da DHCP server sozlamalari evolyutsiyasi ma'lumot uchun keltirilgan. Shuningdek, Microsoft Windows serverlarida DHCP xizmatidagi Superscope va Policy haqida qisqacha ma'lumot.
VXLAN BGP EVPN, DFA matosida DHCP Relayni qanday sozlash mumkin
VXLAN BGP EVPN matosida DHCP Relayini sozlash ushbu maqolaning asosiy mavzusi emas, chunki bu juda oddiy. Men hujjatlarga havolalar va tarmoq uskunasi sozlamalari bo'yicha spoylerni taqdim etaman.
Nexus 9000V v9.2(3) da DHCP relayini sozlash misoli
service dhcp
ip dhcp relay
ip dhcp relay information option
ip dhcp relay information option vpn
interface loopback10
vrf member VRF1
ip address 10.120.0.1/32 tag 1234567
interface Vlan12
no shutdown
vrf member VRF1
no ip redirects
ip address 10.120.251.1/24 tag 1234567
no ipv6 redirects
fabric forwarding mode anycast-gateway
ip dhcp relay address 10.0.0.5
ip dhcp relay source-interface loopback10
VXLAN BGP EVPN matolarida DHCP Relay xizmatining ishlashida amalga oshiriladigan RFClar
RFC#6607: 151 (0x97) pastki varianti - Virtual quyi tarmoqni tanlash
• Sub-option 151(0x97) - Virtual Subnet Selection (Defined in RFC#6607)
Used to convey VRF related information to the DHCP server in an MPLS-VPN and VXLAN EVPN multi-tenant environment.Mijoz joylashgan VRF ning "nomi" uzatiladi.
RFC # 5107: 11 (0xb) pastki varianti - Server identifikatorini bekor qilish
• Sub-option 11(0xb) - Server ID Override (Defined in RFC#5107.)
The server identifier (server ID) override sub-option allows the DHCP relay agent to specify a new value for the server ID option, which is inserted by the DHCP server in the reply packet. This sub-option allows the DHCP relay agent to act as the actual DHCP server such that the renew requests will come to the relay agent rather than the DHCP server directly. The server ID override sub-option contains the incoming interface IP address, which is the IP address on the relay agent that is accessible from the client. Using this information, the DHCP client sends all renew and release request packets to the relay agent. The relay agent adds all of the appropriate sub-options and then forwards the renew and release request packets to the original DHCP server. For this function, Cisco’s proprietary implementation is sub-option 152(0x98). You can use the ip dhcp relay sub-option type cisco command to manage the function.Variant mijozning ushbu parametrda foydalanilgan IP-manzilga manzil ijarasini yangilash so'rovini yuborishini ta'minlash uchun ishlatiladi. (Cisco VXLAN BGP da EVPN mijozning standart shlyuzi Anycast manzilidir.)
RFC # 3527: 5-kichik variant (0x5) - Havola tanlash
Sub-option 5(0x5) - Link Selection (Defined in RFC#3527.)
The link selection sub-option provides a mechanism to separate the subnet/link on which the DHCP client resides from the gateway address (giaddr), which can be used to communicate with the relay agent by the DHCP server. The relay agent will set the sub-option to the correct subscriber subnet and the DHCP server will use that value to assign an IP address rather than the giaddr value. The relay agent will set the giaddr to its own IP address so that DHCP messages are able to be forwarded over the network. For this function, Cisco’s proprietary implementation is sub-option 150(0x96). You can use the ip dhcp relay sub-option type ciscocommand to manage the function.Mijozga IP-manzil kerak bo'lgan tarmoq manzili.
Microsoft Windows Server 2012 da DHCP ni sozlash bo'yicha Cisco hujjatlarining evolyutsiyasi
Men ushbu bo'limni kiritdim, chunki sotuvchi tomonidan ijobiy tendentsiya mavjud:
Hujjatlar faqat tarmoq uskunasida DHCP Relayni qanday sozlashni ko'rsatadi.
Windows Server 2012 da DHCP ni sozlash uchun boshqa maqola ishlatilgan:
Ushbu maqolada aytilishicha, har bir tarmoq/VNI o'zining SuperScope to'plamini va o'zining Loopback manzillari to'plamini talab qiladi:
If multiple DHCP Scopes are required for multiple subnets, you need to create one LoopbackX per subnet/vlan on all LEAFS and create a superscope with a loopbackX range scope and actual client IP subnet scope per vlan.
Tarmoq uskunasini sozlash uchun hujjatlarga Windows 2012 Server sozlamalari qo'shildi. Amaldagi barcha manzillar hovuzlari uchun har bir maʼlumot markazi uchun bitta SuperScope talab qilinadi va bu SuperScope maʼlumotlar markazining chegarasi hisoblanadi:
Create Superscope for all scopes you want to use for Option 82-based policies.
Note
The Superscope should combine all scopes and act as the administrative boundary.
Hammasi juda qisqacha tushuntirilgan:
Let us assume the switch is using the address from subnet B (it can be the backbone subnet, management subnet, or any customer designated subnet for this purpose) to communicate with the Windows DHCP server. In DFA we have subnets S1, S2, S3, …, Sn for segment s1, s2, s3, …, sn.
To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.
Microsoft Windows Serverda DHCP (superskop va siyosat)
Superscope is an administrative feature of a DHCP server that can be used to group multiple scopes as a single administrative entity. Superscope allows a DHCP server to provide leases from more than one scope to clients on a single physical network. Scopes added to a superscope are called member scopes.
SuperScope nima - bu IP-manzillarning bir nechta pullarini bitta ma'muriy birlikka birlashtirishga imkon beruvchi funksionallik. Bir xil jismoniy tarmoqdagi (bir xil VLAN-da) foydalanuvchilarga bir nechta hovuzlardan IP-manzillarni reklama qilish. Agar so'rov SuperScope doirasidagi manzillar to'plamiga kelgan bo'lsa, mijozga ushbu SuperScope tarkibiga kirgan boshqa Scope manzili berilishi mumkin.
The DHCP Server role in Windows Server 2012 introduces a new feature that allows you to create IPv4 policies that specify custom IP address and option assignments for DHCP clients based on a set of conditions.
The policy based assignment (PBA) feature allows you to group DHCP clients by specific attributes based on fields contained in the DHCP client request packet. PBA enables targeted administration and greater control of the configuration parameters delivered to network devices with DHCP.
Qoidalar - foydalanuvchi turiga yoki parametrga qarab foydalanuvchilarga IP manzillarini belgilash imkonini beradi. Cisco muhandislari VNI (Virtual tarmoq identifikatori) bo'yicha filtrlash uchun Windows Server 2012 da siyosatlardan foydalanadilar.
Asosiy qism
Ushbu bo'lim tadqiqot natijalarini o'z ichiga oladi, nima uchun u qo'llab-quvvatlanmaydi, u qanday ishlaydi (mantiq), nima yangi va bu yangi bizga qanday yordam beradi.
Nima uchun Microsoft Windows Server 2000/2003/2008 qo'llab-quvvatlanmaydi?
Microsoft Windows Server 2008 va undan oldingi versiyalari 82-variantni qayta ishlamaydi va qaytarish paketi 82-variantsiz yuboriladi.
- Mijozdan so'rov Broadcast (DHCP Discover) ga yuboriladi.
- Uskuna (Nexus) paketni DHCP serveriga yuboradi (DHCP Discover + Variant 82).
- DHCP serveri paketni qabul qiladi, qayta ishlaydi, qaytarib yuboradi, lekin 82-variantsiz. (DHCP taklifi – 82-variantsiz)
- Uskuna (Nexus) DHCP serveridan paket oladi. (DHCP taklifi) Lekin bu paketni oxirgi foydalanuvchiga yubormaydi.
Sniffer ma'lumotlari - Windows Server 2008 va DHCP mijozidaWindows Server 2008 tarmoq uskunasidan so'rov oladi. (82-variant ro'yxatda mavjud)
Windows Server 2008 javobni tarmoq uskunasiga yuboradi. (82-variant paketda variant sifatida ko'rsatilmagan)
Mijozdan so'rov - DHCP Discover mavjud va DHCP taklifi mavjud emas
Tarmoq uskunalari statistikasi:
NEXUS-9000V-SW-1# show ip dhcp relay statistics
----------------------------------------------------------------------
Message Type Rx Tx Drops
----------------------------------------------------------------------
Discover 8 8 0
Offer 8 8 0
Request(*) 0 0 0
Ack 0 0 0
Release(*) 0 0 0
Decline 0 0 0
Inform(*) 0 0 0
Nack 0 0 0
----------------------------------------------------------------------
Total 16 16 0
----------------------------------------------------------------------
DHCP L3 FWD:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
Non DHCP:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
DROP:
DHCP Relay not enabled : 0
Invalid DHCP message type : 0
Interface error : 0
Tx failure towards server : 0
Tx failure towards client : 0
Unknown output interface : 0
Unknown vrf or interface for server : 0
Max hops exceeded : 0
Option 82 validation failed : 0
Packet Malformed : 0
Relay Trusted port not configured : 0
DHCP Request dropped on MCT : 0
* - These counters will show correct value when switch
receives DHCP request packet with destination ip as broadcast
address. If request is unicast it will be HW switched
NEXUS-9000V-SW-1#
Nima uchun Microsoft Windows Server 2012 da konfiguratsiya juda murakkab?
Microsoft Windows Server 2012 hali RFC#3527 ni qo'llab-quvvatlamaydi (variant 82 sub-variant 5(0x5) - Havola tanlash)
Ammo Siyosat funksiyasi allaqachon amalga oshirilgan.
U qanday ishlaydi:
- Microsoft Windows Server 2012 super hovuzga (SuperScope) ega bo'lib, unda Loopback manzillari va haqiqiy tarmoqlar uchun hovuzlar mavjud.
- IP-manzilni berish uchun pulni tanlash SuperScope-ga to'g'ri keladi, chunki javob SuperScope-ga kiritilgan Loopback Source manzili bilan DHCP Relay-dan kelgan.
- Siyosatdan foydalanib, soʻrov Superscope’dan VNI 82-variant 1-agent sxemasi identifikatorida mavjud boʻlgan aʼzo doirasini tanlaydi. ("0108000600"+ 24 bit VNI + 24 bit, ularning qiymatlari menga noma'lum, ammo sniffer bu sohada 0 qiymatlarini ko'rsatadi.)
Microsoft Windows Server 2016/2019 da sozlash qanday soddalashtirilgan?
Microsoft Windows Server 2016 RFC#3527 funksiyasini amalga oshiradi. Ya'ni, Windows Server 2016 82-variant 5(0x5) - Havola tanlash atributidan to'g'ri tarmoqni taniy oladi.
Darhol uchta savol tug'iladi:
- Superskopsiz qila olamizmi?
- Siyosatsiz va VNI-ni o'n oltilik shaklga o'zgartira olamizmi?
- Scope for Loopback DHCP Source manzillarisiz ishlay olamizmi?
Q. Superskopsiz qila olamizmi?
A. Ha, tarmoq darhol IPv4 manzillari sohasida yaratilishi mumkin.
Q. Siyosatsiz va VNI-ni o'n oltilik shaklga o'zgartira olamizmi?
A. Ha, tarmoq tanlovi 82-variant 0x5 kichik variantiga asoslanadi,
Q. Scope for Loopback DHCP Source manzillarisiz ishlay olamizmi?
A. Yo'q, qila olmaymiz. Chunki Microsoft Windows Server 2016/2019 zararli DHCP so'rovlaridan himoyalangan. Ya'ni, DHCP server pulida bo'lmagan manzillardan kelgan barcha so'rovlar zararli hisoblanadi.
Note
All relay agent IP addresses (GIADDR) must be part of an active DHCP scope IP address range. Any GIADDR outside of the DHCP scope IP address ranges is considered a rogue relay and Windows DHCP Server will not acknowledge DHCP client requests from those relay agents.
A special scope can be created to "authorize" relay agents. Create a scope with the GIADDR (or multiple if the GIADDR's are sequential IP addresses), exclude the GIADDR address(es) from distribution, and then activate the scope. This will authorize the relay agents while preventing the GIADDR addresses from being assigned.Bular. Microsoft Windows Server 2016/2019 da VXLAN BGP EVPN zavodi uchun DHCP pulini sozlash uchun sizga faqat:
- Source Relay manzillari uchun hovuz yarating.
- Mijoz tarmoqlari uchun hovuz yarating
Nima kerak emas (lekin sozlanishi mumkin va u ishlaydi va ishga xalaqit bermaydi):
- Siyosat yaratish
- SuperScope yarating
misolDHCP serverini o'rnatish misoli (2 ta haqiqiy DHCP mijozi mavjud - mijozlar VXLAN tarmog'iga ulangan)
Foydalanuvchilar pulini o'rnatishga misol:
Foydalanuvchilar pulini o'rnatishga misol (siyosatlar hovuzning to'g'ri ishlashi uchun ishlatilmaganligini isbotlash uchun tanlangan):
Manba DHCP Relay manzillari uchun hovuzni sozlash misoli (berilish uchun manzillar diapazoni manzillar hovuzidan chiqarib tashlashga to'liq mos keladi):
Microsoft Windows Server 2019 da DHCP xizmatini sozlash
DHCP Relay uchun Loopback manzillari (manba) uchun hovuzni sozlash.
Biz IPv4 maydonida yangi hovuz (Scope) yaratamiz.
Hovuz yaratish ustasi. "Keyingi >"
Hovuz nomini va hovuz tavsifini sozlang.
Loopback uchun IP manzillar oralig'ini va hovuz uchun niqobni o'rnating.
Istisnolarni qo'shish. Istisno diapazoni hovuz oralig'iga to'liq mos kelishi kerak.
Ijara vaqti. "Keyingi >"
So'rov: DHCP parametrlarini hozir sozlaysizmi (DNS, WINS, Gateway, Domain) yoki buni keyinroq qilasiz. Yo'q deb javob berish va keyin hovuzni qo'lda faollashtirish tezroq bo'lar edi. Yoki hech qanday ma'lumotni to'ldirmasdan oxirigacha o'ting va sehrgarning oxirida hovuzni faollashtiring.
Tanlovlar sozlanmaganligini va hovuz faollashtirilmaganligini tasdiqlaymiz. "tugatish"
Biz hovuzni qo'lda faollashtiramiz. — Sohani tanlang va kontekst menyusida — “Faollashtirish” ni tanlang.
Biz foydalanuvchilar/serverlar uchun hovuz yaratamiz.
Biz yangi hovuz yaratamiz.
Hovuz yaratish ustasi. "Keyingi >"
Hovuz nomini va hovuz tavsifini sozlang.
Loopback uchun IP manzillar oralig'ini va hovuz uchun niqobni o'rnating.
Istisnolarni qo'shish. (Sukut bo'yicha istisnolar shart emas) "Keyingi >"
Ijara vaqti. "Keyingi >"
So'rov: DHCP parametrlarini hozir sozlaysizmi (DNS, WINS, Gateway, Domain) yoki buni keyinroq qilasiz. Keling, uni hozir sozlaymiz.
Standart shlyuz manzilini sozlang.
Biz domen va DNS server manzillarini sozlaymiz.
WINS serverlarining IP manzillarini sozlash.
Qo'llanish doirasini faollashtirish.
Hovuz sozlangan. "tugatish"
xulosa
Windows Server 2016/2019 dan foydalanish VXLAN (yoki boshqa har qanday mato) uchun DHCP serverini sozlashning murakkabligini kamaytiradi. (IT mutaxassislariga maxsus havolalarni o'tkazish shart emas: Filtrlarni ro'yxatdan o'tkazish uchun Network/Agent Circuit ID.)
Windows Server 2012 uchun konfiguratsiya yangi 2016/2019 serverlarida ishlaydimi - ha ishlaydi.
Ushbu hujjatda 2 ta versiyaga havolalar mavjud: 7.X va 9.3. Buning sababi shundaki, 7.0(3)I7(7) versiyasi Cisco Suggested versiyasidir va 9.3 versiyasi eng innovatsion (hatto VXLAN Multisite orqali Multicastni qo'llab-quvvatlaydi).
Manbalar ro'yxati
Manba: www.habr.com