主持人 > 博客 > 管理 > 設定 Microsoft Windows Server 2016/2019 為 VXLAN 提供 DHCP 服務 (DFA)
設定 Microsoft Windows Server 2016/2019 為 VXLAN 提供 DHCP 服務 (DFA)
本文的目的是使用 Microsoft Windows Server 2016/2019 簡化 VXLAN BGP EVPN 和 DFA 結構的 DHCP 服務配置。
在官方文件中,fabric的基於Microsoft Windows Server 2012的DHCP服務被配置為包含一個Loopback池的SuperScope(這個池的亮點是從池中排除該池的所有IP位址(排除的IP位址=池))以及為真實網路發布IP 位址的池(這裡是重點- 配置策略- 其中DHCP 中繼電路ID 被過濾,並且此DHCP 中繼電路ID 包含網路的VNI,即對於另一個池,此DHCP 中繼電路ID 會略有不同)。
To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.
這部分簡要列出了所有初始資料:設定網路設備的說明、eVPN 工廠中 DHCP 封包中使用的 RFC、Cisco 文件中 Microsoft Windows Server 2012 上 DHCP 伺服器設定的演變,以供參考。 以及 Microsoft Windows 伺服器上 DHCP 服務中的超級範圍和策略的簡要資訊。
service dhcp
ip dhcp relay
ip dhcp relay information option
ip dhcp relay information option vpn
interface loopback10
vrf member VRF1
ip address 10.120.0.1/32 tag 1234567
interface Vlan12
no shutdown
vrf member VRF1
no ip redirects
ip address 10.120.251.1/24 tag 1234567
no ipv6 redirects
fabric forwarding mode anycast-gateway
ip dhcp relay address 10.0.0.5
ip dhcp relay source-interface loopback10
• Sub-option 151(0x97) - Virtual Subnet Selection (Defined in RFC#6607)
Used to convey VRF related information to the DHCP server in an MPLS-VPN and VXLAN EVPN multi-tenant environment.
傳輸客戶端所在VRF的「名稱」。
RFC#5107:子選項 11(0xb) - 伺服器 ID 覆蓋
• Sub-option 11(0xb) - Server ID Override (Defined in RFC#5107.)
The server identifier (server ID) override sub-option allows the DHCP relay agent to specify a new value for the server ID option, which is inserted by the DHCP server in the reply packet. This sub-option allows the DHCP relay agent to act as the actual DHCP server such that the renew requests will come to the relay agent rather than the DHCP server directly. The server ID override sub-option contains the incoming interface IP address, which is the IP address on the relay agent that is accessible from the client. Using this information, the DHCP client sends all renew and release request packets to the relay agent. The relay agent adds all of the appropriate sub-options and then forwards the renew and release request packets to the original DHCP server. For this function, Cisco’s proprietary implementation is sub-option 152(0x98). You can use the ip dhcp relay sub-option type cisco command to manage the function.
此選項用於確保用戶端向該選項中使用的 IP 位址發送續訂位址租約的請求。 (在 Cisco VXLAN BGP 上,EVPN 是用戶端的預設閘道任播位址。)
RFC#3527:子選項 5(0x5) - 連結選擇
Sub-option 5(0x5) - Link Selection (Defined in RFC#3527.)
The link selection sub-option provides a mechanism to separate the subnet/link on which the DHCP client resides from the gateway address (giaddr), which can be used to communicate with the relay agent by the DHCP server. The relay agent will set the sub-option to the correct subscriber subnet and the DHCP server will use that value to assign an IP address rather than the giaddr value. The relay agent will set the giaddr to its own IP address so that DHCP messages are able to be forwarded over the network. For this function, Cisco’s proprietary implementation is sub-option 150(0x96). You can use the ip dhcp relay sub-option type ciscocommand to manage the function.
用戶端需要 IP 位址的網路位址。
在 Microsoft Windows Server 2012 上設定 DHCP 的 Cisco 文件的演變
If multiple DHCP Scopes are required for multiple subnets, you need to create one LoopbackX per subnet/vlan on all LEAFS and create a superscope with a loopbackX range scope and actual client IP subnet scope per vlan.
在設定網路設備的文件中新增了 Windows 2012 Server 設定。 對於所有使用的位址池,每個資料中心需要一個 SuperScope,這個 SuperScope 是資料中心的邊界:
Create Superscope for all scopes you want to use for Option 82-based policies.
Note
The Superscope should combine all scopes and act as the administrative boundary.
Let us assume the switch is using the address from subnet B (it can be the backbone subnet, management subnet, or any customer designated subnet for this purpose) to communicate with the Windows DHCP server. In DFA we have subnets S1, S2, S3, …, Sn for segment s1, s2, s3, …, sn.
To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.
Superscope is an administrative feature of a DHCP server that can be used to group multiple scopes as a single administrative entity. Superscope allows a DHCP server to provide leases from more than one scope to clients on a single physical network. Scopes added to a superscope are called member scopes.
什麼是 SuperScope - 它是一項允許您將多個 IP 位址池組合到一個管理單元中的功能。 向同一實體網路(同一 VLAN 中)上的使用者通告來自多個池的 IP 位址。 如果要求到達作為超級作用域一部分的位址池,則可以向用戶端提供來自該超級作用域中包含的另一個作用域的位址。
The DHCP Server role in Windows Server 2012 introduces a new feature that allows you to create IPv4 policies that specify custom IP address and option assignments for DHCP clients based on a set of conditions.
The policy based assignment (PBA) feature allows you to group DHCP clients by specific attributes based on fields contained in the DHCP client request packet. PBA enables targeted administration and greater control of the configuration parameters delivered to network devices with DHCP.
策略 – 允許您根據使用者或參數的類型向使用者指派 IP 位址。 思科工程師使用 Windows Server 2012 中的政策按 VNI(虛擬網路識別碼)進行篩選。
主要部分
本節包含研究結果、為什麼不支持它、它是如何運作的(邏輯)、新內容以及新內容將如何幫助我們。
為什麼不支援 Microsoft Windows Server 2000/2003/2008?
Microsoft Windows Server 2008及更早版本不處理選項82,且傳送回傳資料包時不含選項82。
嗅探器資料 - 在 Windows Server 2008 和 DHCP 用戶端上Windows Server 2008 接收來自網路裝置的請求。 (選項 82 出現在清單中)
Windows Server 2008 將回應傳送至網路裝置。 (選購件 82 未作為選購品列在包裝內)
來自客戶端的請求 - 存在 DHCP Discover,但缺少 DHCP Offer
網路設備統計:
NEXUS-9000V-SW-1# show ip dhcp relay statistics
----------------------------------------------------------------------
Message Type Rx Tx Drops
----------------------------------------------------------------------
Discover 8 8 0
Offer 8 8 0
Request(*) 0 0 0
Ack 0 0 0
Release(*) 0 0 0
Decline 0 0 0
Inform(*) 0 0 0
Nack 0 0 0
----------------------------------------------------------------------
Total 16 16 0
----------------------------------------------------------------------
DHCP L3 FWD:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
Non DHCP:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
DROP:
DHCP Relay not enabled : 0
Invalid DHCP message type : 0
Interface error : 0
Tx failure towards server : 0
Tx failure towards client : 0
Unknown output interface : 0
Unknown vrf or interface for server : 0
Max hops exceeded : 0
Option 82 validation failed : 0
Packet Malformed : 0
Relay Trusted port not configured : 0
DHCP Request dropped on MCT : 0
* - These counters will show correct value when switch
receives DHCP request packet with destination ip as broadcast
address. If request is unicast it will be HW switched
NEXUS-9000V-SW-1#
為什麼 Microsoft Windows Server 2012 中的設定如此困難?
Microsoft Windows Server 2012 尚未支援 RFC#3527(選項 82 子選項 5(0x5) - 連結選擇)
但策略功能已經實現。
它是如何工作的:
Microsoft Windows Server 2012 有一個超級池(SuperScope),它具有用於真實網路的環回位址和池。
用於發布 IP 位址的池的選擇屬於 SuperScope,因為回應來自 DHCP 中繼,環回來源位址包含在 SuperScope 中。
Note
All relay agent IP addresses (GIADDR) must be part of an active DHCP scope IP address range. Any GIADDR outside of the DHCP scope IP address ranges is considered a rogue relay and Windows DHCP Server will not acknowledge DHCP client requests from those relay agents.
A special scope can be created to "authorize" relay agents. Create a scope with the GIADDR (or multiple if the GIADDR's are sequential IP addresses), exclude the GIADDR address(es) from distribution, and then activate the scope. This will authorize the relay agents while preventing the GIADDR addresses from being assigned.
那些。 若要在 Microsoft Windows Server 2016/2019 上為 VXLAN BGP EVPN 工廠設定 DHCP 池,您只需: