Pages Web de Laurent Facq

DhcpdByPort Home Page

Introduction :

dhcpdbyport is a perl script which generates configurations files for ISC DHCP v3 and (cisco) switches.

The goal is to assigned a fixed ip address, not based on mac addresse as usual, but on the equipement (switch?) port used to connect to the network using DHCP Option-82.
This is usefull when you have user/port or customers/port associations, like in hotel, dormytory, residential area.

Currently, dhcpdbyport also generate the port configuration part of a cisco switch, to enforce that only the assigned ip adress can be used as source address, using layer 3 ACL on layer 2 switch ports (available on EI cisco switches starting from 2950T, 2950G)

Download :

Béta version : dhcpdbyport_v0.2

Documentation :

TODO :)

Example :

Suppose you have a linux debian sarge, with dhcpd configurations files in « /etc/dhcp3 »
Create the directory /etc/dhcp3/dhcpdbyport.d :
mkdir /etc/dhcp3/dhcpdbyport.d
Create the file : /etc/dhcp3/dhcpdbyport.conf :
emacs /etc/dhcp3/dhcpdbyport.conf
with something like :

#DEBUG
VERBOSE
# ROOT <directory-where-to-put-output-files>
ROOT /etc/dhcp3/dhcpdbyport.d
# NETWORK <networkname>
NETWORK testnet
# VLAN <number>
VLAN 123
# SWITCH <name> <macaddress> [type]
SWITCH myswitch1 00:11:22:33:44:55
# PORT <porttype> <module> <num> <ip> <description>
PORT FastEthernet 0 1 1.2.3.1 Room A
PORT FastEthernet 0 2 1.2.3.2 Room B
PORT FastEthernet 0 3 1.2.3.3 Room C
SWITCH myswitch2 00:55:66:77:88:99
# (experimental) you can use perl expression inside double parenthesis
PORT FastEthernet 0 4-6 1.2.3.(($port+64)) Room number (($port))

Run dhcpdbyport with someting like : « /usr/local/bin/dhcpdbyport /etc/dhcp3/dhcpdbyport.conf

Then you get 3 files in /etc/dhcp3/dhcpdbyport.d.

myswitch1.conf :

interface FastEthernet 0/1
description Room A [*auto*]
ip access-group ip=1.2.3.1 in
switchport access vlan 123
switchport mode access
no access-list ip=1.2.3.1
access-list ip=1.2.3.1 remark description Room A [*auto*]
access-list ip=1.2.3.1 permit 0.0.0.0
access-list ip=1.2.3.1 permit 1.2.3.1
access-list ip=1.2.3.1 deny any

interface FastEthernet 0/2
description Room B [*auto*]
ip access-group ip=1.2.3.2 in
switchport access vlan 123
switchport mode access
no access-list ip=1.2.3.2
access-list ip=1.2.3.2 remark description Room B [*auto*]
access-list ip=1.2.3.2 permit 0.0.0.0
access-list ip=1.2.3.2 permit 1.2.3.2
access-list ip=1.2.3.2 deny any

interface FastEthernet 0/3
description Room C [*auto*]
ip access-group ip=1.2.3.3 in
switchport access vlan 123
switchport mode access
no access-list ip=1.2.3.3
access-list ip=1.2.3.3 remark description Room C [*auto*]
access-list ip=1.2.3.3 permit 0.0.0.0
access-list ip=1.2.3.3 permit 1.2.3.3
access-list ip=1.2.3.3 deny any

myswitch2.conf :

interface FastEthernet 0/4
description Room number 4 [*auto*]
ip access-group ip=1.2.3.68 in
switchport access vlan 123
switchport mode access
no access-list ip=1.2.3.68
access-list ip=1.2.3.68 remark description Room number 4 [*auto*]
access-list ip=1.2.3.68 permit 0.0.0.0
access-list ip=1.2.3.68 permit 1.2.3.68
access-list ip=1.2.3.68 deny any

interface FastEthernet 0/5
description Room number 5 [*auto*]
ip access-group ip=1.2.3.69 in
switchport access vlan 123
switchport mode access
no access-list ip=1.2.3.69
access-list ip=1.2.3.69 remark description Room number 5 [*auto*]
access-list ip=1.2.3.69 permit 0.0.0.0
access-list ip=1.2.3.69 permit 1.2.3.69
access-list ip=1.2.3.69 deny any

interface FastEthernet 0/6
description Room number 6 [*auto*]
ip access-group ip=1.2.3.70 in
switchport access vlan 123
switchport mode access
no access-list ip=1.2.3.70
access-list ip=1.2.3.70 remark description Room number 6 [*auto*]
access-list ip=1.2.3.70 permit 0.0.0.0
access-list ip=1.2.3.70 permit 1.2.3.70
access-list ip=1.2.3.70 deny any

classes.conf :

class "testnet-vlan 00:7b-mod 00-port 00 on myswitch1"{
match if (substring (option agent.circuit-id,2, 2) = 00:7b)
and (substring (option agent.circuit-id,4,1) = 00)
and (suffix (option agent.circuit-id, 1) = 00)
and (suffix(option agent.remote-id,6) = 00:11:22:33:44:55);
}
class "testnet-vlan 00:7b-mod 00-port 01 on myswitch1"{
match if (substring (option agent.circuit-id,2, 2) = 00:7b)
and (substring (option agent.circuit-id,4,1) = 00)
and (suffix (option agent.circuit-id, 1) = 01)
and (suffix(option agent.remote-id,6) = 00:11:22:33:44:55);
}
class "testnet-vlan 00:7b-mod 00-port 02 on myswitch1"{
match if (substring (option agent.circuit-id,2, 2) = 00:7b)
and (substring (option agent.circuit-id,4,1) = 00)
and (suffix (option agent.circuit-id, 1) = 02)
and (suffix(option agent.remote-id,6) = 00:11:22:33:44:55);
}
class "testnet-vlan 00:7b-mod 00-port 03 on myswitch2"{
match if (substring (option agent.circuit-id,2, 2) = 00:7b)
and (substring (option agent.circuit-id,4,1) = 00)
and (suffix (option agent.circuit-id, 1) = 03)
and (suffix(option agent.remote-id,6) = 00:55:66:77:88:99);
}
class "testnet-vlan 00:7b-mod 00-port 04 on myswitch2"{
match if (substring (option agent.circuit-id,2, 2) = 00:7b)
and (substring (option agent.circuit-id,4,1) = 00)
and (suffix (option agent.circuit-id, 1) = 04)
and (suffix(option agent.remote-id,6) = 00:55:66:77:88:99);
}
class "testnet-vlan 00:7b-mod 00-port 05 on myswitch2"{
match if (substring (option agent.circuit-id,2, 2) = 00:7b)
and (substring (option agent.circuit-id,4,1) = 00)
and (suffix (option agent.circuit-id, 1) = 05)
and (suffix(option agent.remote-id,6) = 00:55:66:77:88:99);
}

testnet.conf

pool {
allow members of "testnet-vlan 00:7b-mod 00-port 00 on myswitch1";
range 1.2.3.1;
}
pool {
allow members of "testnet-vlan 00:7b-mod 00-port 01 on myswitch1";
range 1.2.3.2;
}
pool {
allow members of "testnet-vlan 00:7b-mod 00-port 02 on myswitch1";
range 1.2.3.3;
}
pool {
allow members of "testnet-vlan 00:7b-mod 00-port 03 on myswitch2";
range 1.2.3.68;
}
pool {
allow members of "testnet-vlan 00:7b-mod 00-port 04 on myswitch2";
range 1.2.3.69;
}
pool {
allow members of "testnet-vlan 00:7b-mod 00-port 05 on myswitch2";
range 1.2.3.70;
}

Now, you have to include DHCP generated files in your dhcpd.conf :

...
# include classes definition to match port/vla/switch info
include "/etc/dhcp3/dhcpdbyport.d/classes.conf";
...
# some logs to debug (can be removed) – stolen from http://www.thtech.net/article/10
if exists agent.circuit-id
{
log ( info, concat( "Lease for ", binary-to-ascii (10, 8, ".", leased-address), " is connected to interface ",
binary-to-ascii (10, 8, "/", suffix ( option agent.circuit-id, 2)), " (add 1 to port number!), VLAN ",
binary-to-ascii (10, 16, "", substring( option agent.circuit-id, 2, 2)), " on switch ",
binary-to-ascii(16, 8, ":", substring( option agent.remote-id, 2, 6))));
log ( info, concat( "Lease for ", binary-to-ascii (10, 8, ".", leased-address),
" raw option-82 info is CID: ", binary-to-ascii (10, 8, ".", option agent.circuit-id), " AID: ",
binary-to-ascii(16, 8, ".", option agent.remote-id)));
}
...
shared-network vlan123
{
subnet 1.2.3.0 netmask 255.255.255.0
{
...your usual configuration...
include "/etc/dhcp3/dhcpdbyport.d/testnet.conf";
}
}

On your cisco switches, you have to download the siwthces definition port & acl and to activate some DHCP options :

ip dhcp snooping vlan 123
ip dhcp snooping
...
interface FastEthernet0/??
description Uplink port towards your DHCP server
ip dhcp snooping trust

On your backbone switch/router you have to allow DHCP Option-82 in requests (here on per vlan basis) and relay to the dhcp server :

interface Vlan123
ip dhcp relay information trusted
ip helper-address your.dhcp.server.ip
...

You may also globally allow DHCP Option 82 requetes

ip dhcp relay information trust-all

TODO add some usefull show/debug commands

Contributors :

Thanks to Pierre LEONARD who wrote the first dhcpdbyport version under my direction.

Created : 14/06/2006 05:43
Last update : 06:40:04 14/06/2006