dhcpd.conf.5 130 KB
Newer Older
Ted Lemon's avatar
Ted Lemon committed
1
2
.\"	dhcpd.conf.5
.\"
3
.\" Copyright (c) 2004-2017 by Internet Systems Consortium, Inc. ("ISC")
4
.\" Copyright (c) 1996-2003 by Internet Software Consortium
Ted Lemon's avatar
Ted Lemon committed
5
.\"
6
7
8
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
Ted Lemon's avatar
Ted Lemon committed
9
.\"
10
11
12
13
14
15
16
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Ted Lemon's avatar
Ted Lemon committed
17
.\"
18
19
20
21
.\"   Internet Systems Consortium, Inc.
.\"   950 Charter Street
.\"   Redwood City, CA 94063
.\"   <info@isc.org>
22
.\"   https://www.isc.org/
23
24
.\"
.\" This software has been written for Internet Systems Consortium
Ted Lemon's avatar
Ted Lemon committed
25
.\" by Ted Lemon in cooperation with Vixie Enterprises and Nominum, Inc.
Murray's avatar
Murray committed
26
.\"
27
28
29
.\" Support and other services are available for ISC products - see
.\" https://www.isc.org for more information or to learn more about ISC.
.\"
Shawn Routhier's avatar
Shawn Routhier committed
30
.\" $Id: dhcpd.conf.5,v 1.114 2012/04/02 22:47:35 sar Exp $
Murray's avatar
Murray committed
31
.\"
Ted Lemon's avatar
Ted Lemon committed
32
.TH dhcpd.conf 5
33
34
35
36
.SH NAME
dhcpd.conf - dhcpd configuration file
.SH DESCRIPTION
The dhcpd.conf file contains configuration information for
Ted Lemon's avatar
Ted Lemon committed
37
.IR dhcpd,
38
the Internet Systems Consortium DHCP Server.
Ted Lemon's avatar
Ted Lemon committed
39
.PP
Shawn Routhier's avatar
Shawn Routhier committed
40
41
The dhcpd.conf file is a free-form ASCII text file.  It is parsed by
the recursive-descent parser built into dhcpd.  The file may contain
Ted Lemon's avatar
Ted Lemon committed
42
extra tabs and newlines for formatting purposes.  Keywords in the file
Shawn Routhier's avatar
Shawn Routhier committed
43
44
are case-insensitive.  Comments may be placed anywhere within the
file (except within quotes).  Comments begin with the # character and
Ted Lemon's avatar
Ted Lemon committed
45
46
end at the end of the line.
.PP
Shawn Routhier's avatar
Shawn Routhier committed
47
The file essentially consists of a list of statements.  Statements
Ted Lemon's avatar
Ted Lemon committed
48
49
50
51
52
53
54
55
56
57
fall into two broad categories - parameters and declarations.
.PP
Parameter statements either say how to do something (e.g., how long a
lease to offer), whether to do something (e.g., should dhcpd provide
addresses to unknown clients), or what parameters to provide to the
client (e.g., use gateway 220.177.244.7).
.PP
Declarations are used to describe the topology of the
network, to describe clients on the network, to provide addresses that
can be assigned to clients, or to apply a group of parameters to a
Shawn Routhier's avatar
Shawn Routhier committed
58
group of declarations.  In any group of parameters and declarations,
Ted Lemon's avatar
Ted Lemon committed
59
60
61
all parameters must be specified before any declarations which depend
on those parameters may be specified.
.PP
62
Declarations about network topology include the \fIshared-network\fR
Shawn Routhier's avatar
Shawn Routhier committed
63
and the \fIsubnet\fR declarations.  If clients on a subnet are to be
64
assigned addresses
Ted Lemon's avatar
Ted Lemon committed
65
dynamically, a \fIrange\fR declaration must appear within the
Shawn Routhier's avatar
Shawn Routhier committed
66
\fIsubnet\fR declaration.  For clients with statically assigned
Ted Lemon's avatar
Ted Lemon committed
67
addresses, or for installations where only known clients will be
Shawn Routhier's avatar
Shawn Routhier committed
68
served, each such client must have a \fIhost\fR declaration.  If
Ted Lemon's avatar
Ted Lemon committed
69
70
71
72
parameters are to be applied to a group of declarations which are not
related strictly on a per-subnet basis, the \fIgroup\fR declaration
can be used.
.PP
73
For every subnet which will be served, and for every subnet
74
75
76
77
to which the dhcp server is connected, there must be one \fIsubnet\fR
declaration, which tells dhcpd how to recognize that an address is on
that subnet.  A \fIsubnet\fR declaration is required for each subnet
even if no addresses will be dynamically allocated on that subnet.
Ted Lemon's avatar
Ted Lemon committed
78
79
.PP
Some installations have physical networks on which more than one IP
Shawn Routhier's avatar
Shawn Routhier committed
80
subnet operates.  For example, if there is a site-wide requirement
Ted Lemon's avatar
Ted Lemon committed
81
82
83
that 8-bit subnet masks be used, but a department with a single
physical ethernet network expands to the point where it has more than
254 nodes, it may be necessary to run two 8-bit subnets on the same
Shawn Routhier's avatar
Shawn Routhier committed
84
ethernet until such time as a new physical network can be added.  In
85
this case, the \fIsubnet\fR declarations for these two networks must be
Ted Lemon's avatar
Ted Lemon committed
86
87
enclosed in a \fIshared-network\fR declaration.
.PP
88
89
90
91
92
93
Note that even when the \fIshared-network\fR declaration is absent, an
empty one is created by the server to contain the \fIsubnet\fR (and any scoped
parameters included in the \fIsubnet\fR).  For practical purposes, this means
that "stateless" DHCP clients, which are not tied to addresses (and therefore
subnets) will receive the same configuration as stateful ones.
.PP
Ted Lemon's avatar
Ted Lemon committed
94
95
96
Some sites may have departments which have clients on more than one
subnet, but it may be desirable to offer those clients a uniform set
of parameters which are different than what would be offered to
Shawn Routhier's avatar
Shawn Routhier committed
97
clients from other departments on the same subnet.  For clients which
Ted Lemon's avatar
Ted Lemon committed
98
99
will be declared explicitly with \fIhost\fR declarations, these
declarations can be enclosed in a \fIgroup\fR declaration along with
Shawn Routhier's avatar
Shawn Routhier committed
100
the parameters which are common to that department.  For clients
101
102
103
whose addresses will be dynamically assigned, class declarations and
conditional declarations may be used to group parameter assignments
based on information the client sends.
Ted Lemon's avatar
Ted Lemon committed
104
105
.PP
When a client is to be booted, its boot parameters are determined by
106
consulting that client's \fIhost\fR declaration (if any), and then
107
consulting any \fIclass\fR declarations matching the client,
108
followed by the \fIpool\fR, \fIsubnet\fR and \fIshared-network\fR
Shawn Routhier's avatar
Shawn Routhier committed
109
declarations for the IP address assigned to the client.  Each of
110
111
these declarations itself appears within a lexical scope, and all
declarations at less specific lexical scopes are also consulted for
Shawn Routhier's avatar
Shawn Routhier committed
112
client option declarations.  Scopes are never considered
113
114
115
twice, and if parameters are declared in more than one scope, the
parameter declared in the most specific scope is the one that is
used.
Ted Lemon's avatar
Ted Lemon committed
116
117
118
.PP
When dhcpd tries to find a \fIhost\fR declaration for a client, it
first looks for a \fIhost\fR declaration which has a
119
\fIfixed-address\fR declaration that lists an IP address that is valid
Shawn Routhier's avatar
Shawn Routhier committed
120
for the subnet or shared network on which the client is booting.  If
121
122
it doesn't find any such entry, it tries to find an entry which has
no \fIfixed-address\fR declaration.
Ted Lemon's avatar
Ted Lemon committed
123
124
125
126
127
128
129
.SH EXAMPLES
.PP
A typical dhcpd.conf file will look something like this:
.nf

.I global parameters...

130
131
132
133
134
135
136
137
subnet 204.254.239.0 netmask 255.255.255.224 {
  \fIsubnet-specific parameters...\fR
  range 204.254.239.10 204.254.239.30;
}

subnet 204.254.239.32 netmask 255.255.255.224 {
  \fIsubnet-specific parameters...\fR
  range 204.254.239.42 204.254.239.62;
Ted Lemon's avatar
Ted Lemon committed
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
}

subnet 204.254.239.64 netmask 255.255.255.224 {
  \fIsubnet-specific parameters...\fR
  range 204.254.239.74 204.254.239.94;
}

group {
  \fIgroup-specific parameters...\fR
  host zappo.test.isc.org {
    \fIhost-specific parameters...\fR
  }
  host beppo.test.isc.org {
    \fIhost-specific parameters...\fR
  }
  host harpo.test.isc.org {
    \fIhost-specific parameters...\fR
  }
}

.ce 1
Figure 1

.fi
162
.PP
163
Notice that at the beginning of the file, there's a place
Shawn Routhier's avatar
Shawn Routhier committed
164
for global parameters.  These might be things like the organization's
Ted Lemon's avatar
Ted Lemon committed
165
domain name, the addresses of the name servers (if they are common to
Shawn Routhier's avatar
Shawn Routhier committed
166
the entire organization), and so on.  So, for example:
Ted Lemon's avatar
Ted Lemon committed
167
168
169
.nf

	option domain-name "isc.org";
170
	option domain-name-servers ns1.isc.org, ns2.isc.org;
Ted Lemon's avatar
Ted Lemon committed
171
172
173
174

.ce 1
Figure 2
.fi
175
.PP
176
177
178
179
180
As you can see in Figure 2, you can specify host addresses in
parameters using their domain names rather than their numeric IP
addresses.  If a given hostname resolves to more than one IP address
(for example, if that host has two ethernet interfaces), then where
possible, both addresses are supplied to the client.
Ted Lemon's avatar
Ted Lemon committed
181
.PP
Ted Lemon's avatar
Ted Lemon committed
182
183
The most obvious reason for having subnet-specific parameters as
shown in Figure 1 is that each subnet, of necessity, has its own
Shawn Routhier's avatar
Shawn Routhier committed
184
router.  So for the first subnet, for example, there should be
Ted Lemon's avatar
Ted Lemon committed
185
186
187
188
189
something like:
.nf

	option routers 204.254.239.1;
.fi
190
.PP
Shawn Routhier's avatar
Shawn Routhier committed
191
Note that the address here is specified numerically.  This is not
Ted Lemon's avatar
Ted Lemon committed
192
193
required - if you have a different domain name for each interface on
your router, it's perfectly legitimate to use the domain name for that
Shawn Routhier's avatar
Shawn Routhier committed
194
interface instead of the numeric address.  However, in many cases
Ted Lemon's avatar
Ted Lemon committed
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
there may be only one domain name for all of a router's IP addresses, and
it would not be appropriate to use that name here.
.PP
In Figure 1 there is also a \fIgroup\fR statement, which provides
common parameters for a set of three hosts - zappo, beppo and harpo.
As you can see, these hosts are all in the test.isc.org domain, so it
might make sense for a group-specific parameter to override the domain
name supplied to these hosts:
.nf

	option domain-name "test.isc.org";
.fi
.PP
Also, given the domain they're in, these are probably test machines.
If we wanted to test the DHCP leasing mechanism, we might set the
lease timeout somewhat shorter than the default:

.nf
	max-lease-time 120;
	default-lease-time 120;
.fi
216
.PP
Ted Lemon's avatar
Ted Lemon committed
217
You may have noticed that while some parameters start with the
Shawn Routhier's avatar
Shawn Routhier committed
218
\fIoption\fR keyword, some do not.  Parameters starting with the
Ted Lemon's avatar
Ted Lemon committed
219
220
\fIoption\fR keyword correspond to actual DHCP options, while
parameters that do not start with the option keyword either control
221
the behavior of the DHCP server (e.g., how long a lease dhcpd will
Ted Lemon's avatar
Ted Lemon committed
222
223
224
give out), or specify client parameters that are not optional in the
DHCP protocol (for example, server-name and filename).
.PP
Shawn Routhier's avatar
Shawn Routhier committed
225
In Figure 1, each host had \fIhost-specific parameters\fR.  These
Ted Lemon's avatar
Ted Lemon committed
226
could include such things as the \fIhostname\fR option, the name of a
227
file to upload (the \fIfilename\fR parameter) and the address of the
Ted Lemon's avatar
Ted Lemon committed
228
server from which to upload the file (the \fInext-server\fR
Shawn Routhier's avatar
Shawn Routhier committed
229
parameter).  In general, any parameter can appear anywhere that
Ted Lemon's avatar
Ted Lemon committed
230
231
232
parameters are allowed, and will be applied according to the scope in
which the parameter appears.
.PP
Shawn Routhier's avatar
Shawn Routhier committed
233
Imagine that you have a site with a lot of NCD X-Terminals.  These
Ted Lemon's avatar
Ted Lemon committed
234
terminals come in a variety of models, and you want to specify the
Shawn Routhier's avatar
Shawn Routhier committed
235
boot files for each model.  One way to do this would be to have host
Ted Lemon's avatar
Ted Lemon committed
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
declarations for each server and group them by model:
.nf

group {
  filename "Xncd19r";
  next-server ncd-booter;

  host ncd1 { hardware ethernet 0:c0:c3:49:2b:57; }
  host ncd4 { hardware ethernet 0:c0:c3:80:fc:32; }
  host ncd8 { hardware ethernet 0:c0:c3:22:46:81; }
}

group {
  filename "Xncd19c";
  next-server ncd-booter;

  host ncd2 { hardware ethernet 0:c0:c3:88:2d:81; }
  host ncd3 { hardware ethernet 0:c0:c3:00:14:11; }
}

group {
  filename "XncdHMX";
  next-server ncd-booter;

  host ncd1 { hardware ethernet 0:c0:c3:11:90:23; }
  host ncd4 { hardware ethernet 0:c0:c3:91:a7:8; }
  host ncd8 { hardware ethernet 0:c0:c3:cc:a:8f; }
}
.fi
265
266
267
.SH ADDRESS POOLS
.PP
The
Shawn Routhier's avatar
Shawn Routhier committed
268
269
\fBpool\fR and \fBpool6\fR
declarations can be used to specify a pool of addresses that will be
270
treated differently than another pool of addresses, even on the same
Shawn Routhier's avatar
Shawn Routhier committed
271
network segment or subnet.  For example, you may want to provide a
272
273
274
large set of addresses that can be assigned to DHCP clients that are
registered to your DHCP server, while providing a smaller set of
addresses, possibly with short lease times, that are available for
Shawn Routhier's avatar
Shawn Routhier committed
275
unknown clients.  If you have a firewall, you may be able to arrange
276
277
for addresses from one pool to be allowed access to the Internet,
while addresses in another pool are not, thus encouraging users to
Shawn Routhier's avatar
Shawn Routhier committed
278
register their DHCP clients.  To do this, you would set up a pair of
279
280
281
282
283
284
285
286
287
288
289
pool declarations:
.PP
.nf
subnet 10.0.0.0 netmask 255.255.255.0 {
  option routers 10.0.0.254;

  # Unknown clients get this pool.
  pool {
    option domain-name-servers bogus.example.com;
    max-lease-time 300;
    range 10.0.0.200 10.0.0.253;
290
    allow unknown-clients;
291
292
293
294
295
296
297
  }

  # Known clients get this pool.
  pool {
    option domain-name-servers ns1.example.com, ns2.example.com;
    max-lease-time 28800;
    range 10.0.0.5 10.0.0.199;
298
    deny unknown-clients;
299
300
301
302
303
304
305
306
  }
}
.fi
.PP
It is also possible to set up entirely different subnets for known and
unknown clients - address pools exist at the level of shared networks,
so address ranges within pool declarations can be on different
subnets.
307
308
309
310
311
.PP
As you can see in the preceding example, pools can have permit lists
that control which clients are allowed access to the pool and which
aren't.  Each entry in a pool's permit list is introduced with the
.I allow
Shawn Routhier's avatar
Shawn Routhier committed
312
or \fIdeny\fR keyword.  If a pool has a permit list, then only those
313
clients that match specific entries on the permit list will be
Shawn Routhier's avatar
Shawn Routhier committed
314
eligible to be assigned addresses from the pool.  If a pool has a
315
deny list, then only those clients that do not match any entries on
Shawn Routhier's avatar
Shawn Routhier committed
316
the deny list will be eligible.   If both permit and deny lists exist
317
318
for a pool, then only clients that match the permit list and do not
match the deny list will be allowed access.
Shawn Routhier's avatar
Shawn Routhier committed
319
.PP
Shawn Routhier's avatar
Shawn Routhier committed
320
The \fBpool6\fR declaration is similar to the \fBpool\fR declaration.
Shawn Routhier's avatar
Shawn Routhier committed
321
322
323
324
325
326
Currently it is only allowed within a \fBsubnet6\fR declaration, and
may not be included directly in a shared network declaration.
In addition to the \fBrange6\fR statement it allows the \fBprefix6\fR
statement to be included.  You may include \fBrange6\fR statements
for both NA and TA and \fBprefixy6\fR statements in a single
\fBpool6\fR statement.
327
.SH DYNAMIC ADDRESS ALLOCATION
328
329
330
331
332
333
Address allocation is actually only done when a client is in the INIT
state and has sent a DHCPDISCOVER message.  If the client thinks it
has a valid lease and sends a DHCPREQUEST to initiate or renew that
lease, the server has only three choices - it can ignore the
DHCPREQUEST, send a DHCPNAK to tell the client it should stop using
the address, or send a DHCPACK, telling the client to go ahead and use
334
335
336
337
338
339
the address for a while.
.PP
If the server finds the address the client is requesting, and that
address is available to the client, the server will send a DHCPACK.
If the address is no longer available, or the client isn't permitted
to have it, the server will send a DHCPNAK.  If the server knows
340
341
nothing about the address, it will remain silent, unless the address
is incorrect for the network segment to which the client has been
342
343
344
345
attached and the server is authoritative for that network segment, in
which case the server will send a DHCPNAK even though it doesn't know
about the address.
.PP
346
There may be a host declaration matching the client's identification.
347
If that host declaration contains a fixed-address declaration that
348
lists an IP address that is valid for the network segment to which the
349
350
351
352
client is connected, the DHCP server will never do dynamic address allocation.
In this case, the client is \fIrequired\fR to take the address specified
in the host declaration.  If the client sends a DHCPREQUEST for some other
address, the server will respond with a DHCPNAK.
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
.PP
When the DHCP server allocates a new address for a client (remember,
this only happens if the client has sent a DHCPDISCOVER), it first
looks to see if the client already has a valid lease on an IP address,
or if there is an old IP address the client had before that hasn't yet
been reassigned.  In that case, the server will take that address and
check it to see if the client is still permitted to use it.  If the
client is no longer permitted to use it, the lease is freed if the
server thought it was still in use - the fact that the client has sent
a DHCPDISCOVER proves to the server that the client is no longer using
the lease.
.PP
If no existing lease is found, or if the client is forbidden to
receive the existing lease, then the server will look in the list of
address pools for the network segment to which the client is attached
for a lease that is not in use and that the client is permitted to
Shawn Routhier's avatar
Shawn Routhier committed
369
have.  It looks through each pool declaration in sequence (all
370
371
.I range
declarations that appear outside of pool declarations are grouped into
Shawn Routhier's avatar
Shawn Routhier committed
372
a single pool with no permit list).  If the permit list for the pool
373
allows the client to be allocated an address from that pool, the pool
Shawn Routhier's avatar
Shawn Routhier committed
374
375
376
is examined to see if there is an address available.  If so, then the
client is tentatively assigned that address.  Otherwise, the next
pool is tested.  If no addresses are found that can be assigned to
377
378
379
380
the client, no response is sent to the client.
.PP
If an address is found that the client is permitted to have, and that
has never been assigned to any client before, the address is
Shawn Routhier's avatar
Shawn Routhier committed
381
immediately allocated to the client.  If the address is available for
382
383
384
allocation but has been previously assigned to a different client, the
server will keep looking in hopes of finding an address that has never
before been assigned to a client.
385
386
.PP
The DHCP server generates the list of available IP addresses from a
Shawn Routhier's avatar
Shawn Routhier committed
387
hash table.  This means that the addresses are not sorted in any
388
particular order, and so it is not possible to predict the order in
Shawn Routhier's avatar
Shawn Routhier committed
389
which the DHCP server will allocate IP addresses.  Users of previous
390
391
392
393
versions of the ISC DHCP server may have become accustomed to the DHCP
server allocating IP addresses in ascending order, but this is no
longer possible, and there is no way to configure this behavior with
version 3 of the ISC DHCP server.
394
.SH IP ADDRESS CONFLICT PREVENTION
395
The DHCP server checks IP addresses to see if they are in use before
Shawn Routhier's avatar
Shawn Routhier committed
396
397
allocating them to clients.  It does this by sending an ICMP Echo
request message to the IP address being allocated.  If no ICMP Echo
398
399
400
401
402
403
404
405
reply is received within a second, the address is assumed to be free.
This is only done for leases that have been specified in range
statements, and only when the lease is thought by the DHCP server to
be free - i.e., the DHCP server or its failover peer has not listed
the lease as in use.
.PP
If a response is received to an ICMP Echo request, the DHCP server
assumes that there is a configuration error - the IP address is in use
Shawn Routhier's avatar
Shawn Routhier committed
406
by some host on the network that is not a DHCP client.  It marks the
407
408
address as abandoned, and will not assign it to clients. The lease will
remain abandoned for a minimum of abandon-lease-time seconds.
409
410
411
.PP
If a DHCP client tries to get an IP address, but none are available,
but there are abandoned IP addresses, then the DHCP server will
Shawn Routhier's avatar
Shawn Routhier committed
412
attempt to reclaim an abandoned IP address.  It marks one IP address
413
as free, and then does the same ICMP Echo request check described
Shawn Routhier's avatar
Shawn Routhier committed
414
previously.  If there is no answer to the ICMP Echo request, the
415
416
417
address is assigned to the client.
.PP
The DHCP server does not cycle through abandoned IP addresses if the
Shawn Routhier's avatar
Shawn Routhier committed
418
first IP address it tries to reclaim is free.  Rather, when the next
419
420
421
DHCPDISCOVER comes in from the client, it will attempt a new
allocation using the same method described here, and will typically
try a new IP address.
Ted Lemon's avatar
Ted Lemon committed
422
423
.SH DHCP FAILOVER
This version of the ISC DHCP server supports the DHCP failover
Shawn Routhier's avatar
Shawn Routhier committed
424
protocol as documented in draft-ietf-dhc-failover-12.txt.  This is
Ted Lemon's avatar
Ted Lemon committed
425
426
427
428
429
430
431
not a final protocol document, and we have not done interoperability
testing with other vendors' implementations of this protocol, so you
must not assume that this implementation conforms to the standard.
If you wish to use the failover protocol, make sure that both failover
peers are running the same version of the ISC DHCP server.
.PP
The failover protocol allows two DHCP servers (and no more than two)
Shawn Routhier's avatar
Shawn Routhier committed
432
to share a common address pool.  Each server will have about half of
Ted Lemon's avatar
Ted Lemon committed
433
the available IP addresses in the pool at any given time for
Shawn Routhier's avatar
Shawn Routhier committed
434
allocation.  If one server fails, the other server will continue to
Ted Lemon's avatar
Ted Lemon committed
435
436
437
438
439
440
441
renew leases out of the pool, and will allocate new addresses out of
the roughly half of available addresses that it had when
communications with the other server were lost.
.PP
It is possible during a prolonged failure to tell the remaining server
that the other server is down, in which case the remaining server will
(over time) reclaim all the addresses the other server had available
Shawn Routhier's avatar
Shawn Routhier committed
442
for allocation, and begin to reuse them.  This is called putting the
Ted Lemon's avatar
Ted Lemon committed
443
444
server into the PARTNER-DOWN state.
.PP
445
You can put the server into the PARTNER-DOWN state either by using the
446
.B omshell (1)
447
command or by stopping the server, editing the last failover state
Shawn Routhier's avatar
Shawn Routhier committed
448
declaration in the lease file, and restarting the server.  If you use
449
this last method, change the "my state" line to:
450
451
452
.PP
.nf
.B failover peer "\fIname\fB" state {
Shawn Routhier's avatar
Shawn Routhier committed
453
.B   my   state partner-down;.
454
455
456
457
.B   peer state \fIstate\fB at \fIdate\fB;
.B }
.fi
.PP
458
459
It is only required to change "my state" as shown above.
.PP
Ted Lemon's avatar
Ted Lemon committed
460
461
462
463
464
465
466
467
468
469
When the other server comes back online, it should automatically
detect that it has been offline and request a complete update from the
server that was running in the PARTNER-DOWN state, and then both
servers will resume processing together.
.PP
It is possible to get into a dangerous situation: if you put one
server into the PARTNER-DOWN state, and then *that* server goes down,
and the other server comes back up, the other server will not know
that the first server was in the PARTNER-DOWN state, and may issue
addresses previously issued by the other server to different clients,
Shawn Routhier's avatar
Shawn Routhier committed
470
resulting in IP address conflicts.  Before putting a server into
Ted Lemon's avatar
Ted Lemon committed
471
472
473
474
475
PARTNER-DOWN state, therefore, make
.I sure
that the other server will not restart automatically.
.PP
The failover protocol defines a primary server role and a secondary
Shawn Routhier's avatar
Shawn Routhier committed
476
server role.  There are some differences in how primaries and
Ted Lemon's avatar
Ted Lemon committed
477
478
secondaries act, but most of the differences simply have to do with
providing a way for each peer to behave in the opposite way from the
Shawn Routhier's avatar
Shawn Routhier committed
479
other.  So one server must be configured as primary, and the other
Ted Lemon's avatar
Ted Lemon committed
480
481
must be configured as secondary, and it doesn't matter too much which
one is which.
Ted Lemon's avatar
Ted Lemon committed
482
483
484
.SH FAILOVER STARTUP
When a server starts that has not previously communicated with its
failover peer, it must establish communications with its failover peer
Shawn Routhier's avatar
Shawn Routhier committed
485
and synchronize with it before it can serve clients.  This can happen
Ted Lemon's avatar
Ted Lemon committed
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
either because you have just configured your DHCP servers to perform
failover for the first time, or because one of your failover servers
has failed catastrophically and lost its database.
.PP
The initial recovery process is designed to ensure that when one
failover peer loses its database and then resynchronizes, any leases
that the failed server gave out before it failed will be honored.
When the failed server starts up, it notices that it has no saved
failover state, and attempts to contact its peer.
.PP
When it has established contact, it asks the peer for a complete copy
its peer's lease database.  The peer then sends its complete database,
and sends a message indicating that it is done.  The failed server
then waits until MCLT has passed, and once MCLT has passed both
servers make the transition back into normal operation.  This waiting
period ensures that any leases the failed server may have given out
while out of contact with its partner will have expired.
.PP
While the failed server is recovering, its partner remains in the
partner-down state, which means that it is serving all clients.  The
failed server provides no service at all to DHCP clients until it has
made the transition into normal operation.
.PP
In the case where both servers detect that they have never before
communicated with their partner, they both come up in this recovery
Shawn Routhier's avatar
Shawn Routhier committed
511
state and follow the procedure we have just described.  In this case,
Ted Lemon's avatar
Ted Lemon committed
512
no service will be provided to DHCP clients until MCLT has expired.
Ted Lemon's avatar
Ted Lemon committed
513
514
515
516
.SH CONFIGURING FAILOVER
In order to configure failover, you need to write a peer declaration
that configures the failover protocol, and you need to write peer
references in each pool declaration for which you want to do
Shawn Routhier's avatar
Shawn Routhier committed
517
518
519
failover.  You do not have to do failover for all pools on a given
network segment.   You must not tell one server it's doing failover
on a particular address pool and tell the other it is not.  You must
Ted Lemon's avatar
Ted Lemon committed
520
not have any common address pools on which you are not doing
521
522
523
524
525
526
527
528
529
failover.  A pool declaration that utilizes failover would look like this:
.PP
.nf
pool {
	failover peer "foo";
	\fIpool specific parameters\fR
};
.fi
.PP
Ted Lemon's avatar
Ted Lemon committed
530
531
532
533
The  server currently  does very  little  sanity checking,  so if  you
configure it wrong, it will just  fail in odd ways.  I would recommend
therefore that you either do  failover or don't do failover, but don't
do any mixed pools.  Also,  use the same master configuration file for
534
both  servers,  and  have  a  separate file  that  contains  the  peer
Ted Lemon's avatar
Ted Lemon committed
535
536
537
538
539
540
541
542
declaration and includes the master file.  This will help you to avoid
configuration  mismatches.  As our  implementation evolves,  this will
become  less of  a  problem.  A  basic  sample dhcpd.conf  file for  a
primary server might look like this:
.PP
.nf
failover peer "foo" {
  primary;
543
  address anthrax.rc.example.com;
Ted Lemon's avatar
Ted Lemon committed
544
  port 519;
545
  peer address trantor.rc.example.com;
Ted Lemon's avatar
Ted Lemon committed
546
547
548
549
  peer port 520;
  max-response-delay 60;
  max-unacked-updates 10;
  mclt 3600;
550
  split 128;
Ted Lemon's avatar
Ted Lemon committed
551
552
553
554
555
556
557
558
  load balance max seconds 3;
}

include "/etc/dhcpd.master";
.fi
.PP
The statements in the peer declaration are as follows:
.PP
559
The
Ted Lemon's avatar
Ted Lemon committed
560
.I primary
561
and
Ted Lemon's avatar
Ted Lemon committed
562
.I secondary
563
564
statements
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
565
.PP
566
[ \fBprimary\fR | \fBsecondary\fR ]\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
567
568
569
.PP
This determines whether the server is primary or secondary, as
described earlier under DHCP FAILOVER.
570
.RE
Ted Lemon's avatar
Ted Lemon committed
571
.PP
572
The
Ted Lemon's avatar
Ted Lemon committed
573
.I address
574
575
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
576
.PP
577
.B address \fIaddress\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
578
.PP
579
580
581
582
The \fBaddress\fR statement declares the IP address or DNS name on which the
server should listen for connections from its failover peer, and also the
value to use for the DHCP Failover Protocol server identifier.  Because this
value is used as an identifier, it may not be omitted.
583
.RE
Ted Lemon's avatar
Ted Lemon committed
584
.PP
585
The
Ted Lemon's avatar
Ted Lemon committed
586
.I peer address
587
588
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
589
.PP
590
.B peer address \fIaddress\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
591
.PP
592
593
The \fBpeer address\fR statement declares the IP address or DNS name to
which the server should connect to reach its failover peer for failover
Ted Lemon's avatar
Ted Lemon committed
594
messages.
595
.RE
Ted Lemon's avatar
Ted Lemon committed
596
.PP
597
The
Ted Lemon's avatar
Ted Lemon committed
598
.I port
599
600
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
601
.PP
602
.B port \fIport-number\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
603
604
.PP
The \fBport\fR statement declares the TCP port on which the server
605
606
607
should listen for connections from its failover peer.  This statement
may be omitted, in which case the IANA assigned port number 647 will be
used by default.
608
.RE
Ted Lemon's avatar
Ted Lemon committed
609
.PP
610
The
Ted Lemon's avatar
Ted Lemon committed
611
.I peer port
612
613
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
614
.PP
615
.B peer port \fIport-number\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
616
617
618
.PP
The \fBpeer port\fR statement declares the TCP port to which the
server should connect to reach its failover peer for failover
619
620
messages.  This statement may be omitted, in which case the IANA
assigned port number 647 will be used by default.
621
.RE
Ted Lemon's avatar
Ted Lemon committed
622
.PP
623
The
Ted Lemon's avatar
Ted Lemon committed
624
.I max-response-delay
625
626
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
627
.PP
628
.B max-response-delay \fIseconds\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
629
630
631
.PP
The \fBmax-response-delay\fR statement tells the DHCP server how
many seconds may pass without receiving a message from its failover
Shawn Routhier's avatar
Shawn Routhier committed
632
peer before it assumes that connection has failed.  This number
Ted Lemon's avatar
Ted Lemon committed
633
634
635
should be small enough that a transient network failure that breaks
the connection will not result in the servers being out of
communication for a long time, but large enough that the server isn't
Shawn Routhier's avatar
Shawn Routhier committed
636
constantly making and breaking connections.  This parameter must be
Ted Lemon's avatar
Ted Lemon committed
637
specified.
638
.RE
Ted Lemon's avatar
Ted Lemon committed
639
.PP
640
641
642
643
644
The
.I max-unacked-updates
statement
.RS 0.25i
.PP
645
.B max-unacked-updates \fIcount\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
646
.PP
David Hankins's avatar
David Hankins committed
647
The \fBmax-unacked-updates\fR statement tells the remote DHCP server how
648
many BNDUPD messages it can send before it receives a BNDACK
Shawn Routhier's avatar
Shawn Routhier committed
649
650
from the local system.  We don't have enough operational experience
to say what a good value for this is, but 10 seems to work.  This
Ted Lemon's avatar
Ted Lemon committed
651
parameter must be specified.
652
.RE
Ted Lemon's avatar
Ted Lemon committed
653
.PP
654
The
Ted Lemon's avatar
Ted Lemon committed
655
.I mclt
656
657
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
658
.PP
659
.B mclt \fIseconds\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
660
.PP
Shawn Routhier's avatar
Shawn Routhier committed
661
The \fBmclt\fR statement defines the Maximum Client Lead Time.  It
Ted Lemon's avatar
Ted Lemon committed
662
must be specified on the primary, and may not be specified on the
Shawn Routhier's avatar
Shawn Routhier committed
663
664
secondary.  This is the length of time for which a lease may be
renewed by either failover peer without contacting the other.  The
Ted Lemon's avatar
Ted Lemon committed
665
longer you set this, the longer it will take for the running server to
Shawn Routhier's avatar
Shawn Routhier committed
666
recover IP addresses after moving into PARTNER-DOWN state.  The
Ted Lemon's avatar
Ted Lemon committed
667
shorter you set it, the more load your servers will experience when
Shawn Routhier's avatar
Shawn Routhier committed
668
they are not communicating.  A value of something like 3600 is
Ted Lemon's avatar
Ted Lemon committed
669
670
probably reasonable, but again bear in mind that we have no real
operational experience with this.
671
.RE
Ted Lemon's avatar
Ted Lemon committed
672
.PP
673
The
Ted Lemon's avatar
Ted Lemon committed
674
.I split
675
676
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
677
.PP
678
.B split \fIbits\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
679
680
.PP
The split statement specifies the split between the primary and
Shawn Routhier's avatar
Shawn Routhier committed
681
secondary for the purposes of load balancing.  Whenever a client
Ted Lemon's avatar
Ted Lemon committed
682
makes a DHCP request, the DHCP server runs a hash on the client
683
684
685
686
687
688
689
identification, resulting in value from 0 to 255.  This is used as
an index into a 256 bit field.  If the bit at that index is set,
the primary is responsible.  If the bit at that index is not set,
the secondary is responsible.  The \fBsplit\fR value determines
how many of the leading bits are set to one.  So, in practice, higher
split values will cause the primary to serve more clients than the
secondary.  Lower split values, the converse.  Legal values are between
690
691
692
0 and 256 inclusive, of which the most reasonable is 128.  Note that
a value of 0 makes the secondary responsible for all clients and a value
of 256 makes the primary responsible for all clients.
693
.RE
Ted Lemon's avatar
Ted Lemon committed
694
.PP
695
The
Ted Lemon's avatar
Ted Lemon committed
696
.I hba
697
698
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
699
.PP
700
.B hba \fIcolon-separated-hex-list\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
701
702
703
.PP
The hba statement specifies the split between the primary and
secondary as a bitmap rather than a cutoff, which theoretically allows
Shawn Routhier's avatar
Shawn Routhier committed
704
705
for finer-grained control.  In practice, there is probably no need
for such fine-grained control, however.  An example hba statement:
Ted Lemon's avatar
Ted Lemon committed
706
707
708
709
710
.PP
.nf
  hba ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
      00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00;
.fi
711
.PP
712
This is equivalent to a \fBsplit 128;\fR statement, and identical.  The
713
following two examples are also equivalent to a \fBsplit\fR of 128, but
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
are not identical:
.PP
.nf
  hba aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:
      aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa:aa;

  hba 55:55:55:55:55:55:55:55:55:55:55:55:55:55:55:55:
      55:55:55:55:55:55:55:55:55:55:55:55:55:55:55:55;
.fi
.PP
They are equivalent, because half the bits are set to 0, half are set to
1 (0xa and 0x5 are 1010 and 0101 binary respectively) and consequently this
would roughly divide the clients equally between the servers.  They are not
identical, because the actual peers this would load balance to each server
are different for each example.
.PP
You must only have \fBsplit\fR or \fBhba\fR defined, never both.  For most
cases, the fine-grained control that \fBhba\fR offers isn't necessary, and
\fBsplit\fR should be used.
733
.RE
Ted Lemon's avatar
Ted Lemon committed
734
.PP
735
The
Ted Lemon's avatar
Ted Lemon committed
736
.I load balance max seconds
737
738
statement
.RS 0.25i
Ted Lemon's avatar
Ted Lemon committed
739
.PP
740
.B load balance max seconds \fIseconds\fR\fB;\fR
Ted Lemon's avatar
Ted Lemon committed
741
742
743
744
745
746
747
748
749
750
751
.PP
This statement allows you to configure a cutoff after which load
balancing is disabled.  The cutoff is based on the number of seconds
since the client sent its first DHCPDISCOVER or DHCPREQUEST message,
and only works with clients that correctly implement the \fIsecs\fR
field - fortunately most clients do.  We recommend setting this to
something like 3 or 5.  The effect of this is that if one of the
failover peers gets into a state where it is responding to failover
messages but not responding to some client requests, the other
failover peer will take over its client load automatically as the
clients retry.
752
753
754
755
.PP
It is possible to disable load balancing between peers by setting this
value to 0 on both peers.  Bear in mind that this means both peers will
respond to all DHCPDISCOVERs or DHCPREQUESTs.
756
.RE
757
.PP
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
The
.I auto-partner-down
statement
.RS 0.25i
.PP
.B auto-partner-down \fIseconds\fR\fB;\fR
.PP
This statement instructs the server to initiate a timed delay upon entering
the communications-interrupted state (any situation of being out-of-contact
with the remote failover peer).  At the conclusion of the timer, the server
will automatically enter the partner-down state.  This permits the server
to allocate leases from the partner's free lease pool after an STOS+MCLT
timer expires, which can be dangerous if the partner is in fact operating
at the time (the two servers will give conflicting bindings).
.PP
Think very carefully before enabling this feature.  The partner-down and
communications-interrupted states are intentionally segregated because
there do exist situations where a failover server can fail to communicate
with its peer, but still has the ability to receive and reply to requests
from DHCP clients.  In general, this feature should only be used in those
deployments where the failover servers are directly connected to one
another, such as by a dedicated hardwired link ("a heartbeat cable").
.PP
A zero value disables the auto-partner-down feature (also the default), and
any positive value indicates the time in seconds to wait before automatically
entering partner-down.
.RE
.PP
786
787
788
789
790
791
792
793
794
795
796
The Failover pool balance statements.
.RS 0.25i
.PP
 \fBmax-lease-misbalance \fIpercentage\fR\fB;\fR
 \fBmax-lease-ownership \fIpercentage\fR\fB;\fR
 \fBmin-balance \fIseconds\fR\fB;\fR
 \fBmax-balance \fIseconds\fR\fB;\fR
.PP
This version of the DHCP Server evaluates pool balance on a schedule,
rather than on demand as leases are allocated.  The latter approach
proved to be slightly klunky when pool misbalanced reach total
797
saturation \(em when any server ran out of leases to assign, it also lost
798
799
800
its ability to notice it had run dry.
.PP
In order to understand pool balance, some elements of its operation
801
802
803
804
805
806
first need to be defined.  First, there are \'free\' and \'backup\' leases.
Both of these are referred to as \'free state leases\'.  \'free\' and
\'backup\'
are \'the free states\' for the purpose of this document.  The difference
is that only the primary may allocate from \'free\' leases unless under
special circumstances, and only the secondary may allocate \'backup\' leases.
807
808
809
810
811
.PP
When pool balance is performed, the only plausible expectation is to
provide a 50/50 split of the free state leases between the two servers.
This is because no one can predict which server will fail, regardless
of the relative load placed upon the two servers, so giving each server
812
half the leases gives both servers the same amount of \'failure endurance\'.
813
814
815
816
Therefore, there is no way to configure any different behaviour, outside of
some very small windows we will describe shortly.
.PP
The first thing calculated on any pool balance run is a value referred to
817
as \'lts\', or "Leases To Send".  This, simply, is the difference in the
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
count of free and backup leases, divided by two.  For the secondary,
it is the difference in the backup and free leases, divided by two.
The resulting value is signed: if it is positive, the local server is
expected to hand out leases to retain a 50/50 balance.  If it is negative,
the remote server would need to send leases to balance the pool.  Once
the lts value reaches zero, the pool is perfectly balanced (give or take
one lease in the case of an odd number of total free state leases).
.PP
The current approach is still something of a hybrid of the old approach,
marked by the presence of the \fBmax-lease-misbalance\fR statement.  This
parameter configures what used to be a 10% fixed value in previous versions:
if lts is less than free+backup * \fBmax-lease-misbalance\fR percent, then
the server will skip balancing a given pool (it won't bother moving any
leases, even if some leases "should" be moved).  The meaning of this value
is also somewhat overloaded, however, in that it also governs the estimation
of when to attempt to balance the pool (which may then also be skipped over).
The oldest leases in the free and backup states are examined.  The time
they have resided in their respective queues is used as an estimate to
indicate how much time it is probable it would take before the leases at
the top of the list would be consumed (and thus, how long it would take
to use all leases in that state).  This percentage is directly multiplied
by this time, and fit into the schedule if it falls within
the \fBmin-balance\fR and \fBmax-balance\fR configured values.  The
scheduled pool check time is only moved in a downwards direction, it is
never increased.  Lastly, if the lts is more than double this number in
843
the negative direction, the local server will \'panic\' and transmit a
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
Failover protocol POOLREQ message, in the hopes that the remote system
will be woken up into action.
.PP
Once the lts value exceeds the \fBmax-lease-misbalance\fR percentage of
total free state leases as described above, leases are moved to the remote
server.  This is done in two passes.
.PP
In the first pass, only leases whose most recent bound client would have
been served by the remote server - according to the Load Balance Algorithm
(see above \fBsplit\fR and \fBhba\fR configuration statements) - are given
away to the peer.  This first pass will happily continue to give away leases,
decrementing the lts value by one for each, until the lts value has reached
the negative of the total number of leases multiplied by
the \fBmax-lease-ownership\fR percentage.  So it is through this value that
you can permit a small misbalance of the lease pools - for the purpose of
giving the peer more than a 50/50 share of leases in the hopes that their
clients might some day return and be allocated by the peer (operating
861
normally).  This process is referred to as \'MAC Address Affinity\', but this
862
863
is somewhat misnamed: it applies equally to DHCP Client Identifier options.
Note also that affinity is applied to leases when they enter the state
864
\'free\' from \'expired\' or \'released\'.  In this case also, leases will not
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
be moved from free to backup if the secondary already has more than its
share.
.PP
The second pass is only entered into if the first pass fails to reduce
the lts underneath the total number of free state leases multiplied by
the \fBmax-lease-ownership\fR percentage.  In this pass, the oldest
leases are given over to the peer without second thought about the Load
Balance Algorithm, and this continues until the lts falls under this
value.  In this way, the local server will also happily keep a small
percentage of the leases that would normally load balance to itself.
.PP
So, the \fBmax-lease-misbalance\fR value acts as a behavioural gate.
Smaller values will cause more leases to transition states to balance
the pools over time, higher values will decrease the amount of change
(but may lead to pool starvation if there's a run on leases).
.PP
Jeremy Reed's avatar
Jeremy Reed committed
881
The \fBmax-lease-ownership\fR value permits a small (percentage) skew
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
in the lease balance of a percentage of the total number of free state
leases.
.PP
Finally, the \fBmin-balance\fR and \fBmax-balance\fR make certain that a
scheduled rebalance event happens within a reasonable timeframe (not
to be thrown off by, for example, a 7 year old free lease).
.PP
Plausible values for the percentages lie between 0 and 100, inclusive, but
values over 50 are indistinguishable from one another (once lts exceeds
50% of the free state leases, one server must therefore have 100% of the
leases in its respective free state).  It is recommended to select
a \fBmax-lease-ownership\fR value that is lower than the value selected
for the \fBmax-lease-misbalance\fR value.  \fBmax-lease-ownership\fR
defaults to 10, and \fBmax-lease-misbalance\fR defaults to 15.
.PP
Plausible values for the \fBmin-balance\fR and \fBmax-balance\fR times also
range from 0 to (2^32)-1 (or the limit of your local time_t value), but
default to values 60 and 3600 respectively (to place balance events between
1 minute and 1 hour).
.RE
902
.SH CLIENT CLASSING
903
Clients can be separated into classes, and treated differently
Shawn Routhier's avatar
Shawn Routhier committed
904
depending on what class they are in.  This separation can be done
905
either with a conditional statement, or with a match statement within
Shawn Routhier's avatar
Shawn Routhier committed
906
the class declaration.  It is possible to specify a limit on the
907
908
909
910
total number of clients within a particular class or subclass that may
hold leases at one time, and it is possible to specify automatic
subclassing based on the contents of the client packet.
.PP
911
Classing support for DHCPv6 clients was added in 4.3.0.  It follows
Shawn Routhier's avatar
Shawn Routhier committed
912
913
914
the same rules as for DHCPv4 except that support for billing classes
has not been added yet.
.PP
915
916
To add clients to classes based on conditional evaluation, you can
specify a matching expression in the class statement:
917
918
.PP
.nf
919
class "ras-clients" {
Ted Lemon's avatar
Ted Lemon committed
920
  match if substring (option dhcp-client-identifier, 1, 3) = "RAS";
921
922
}
.fi
923
.PP
924
925
Note that whether you use matching expressions or add statements (or
both) to classify clients, you must always write a class declaration
Shawn Routhier's avatar
Shawn Routhier committed
926
for any class that you use.  If there will be no match statement and
927
928
no in-scope statements for a class, the declaration should look like
this:
929
.PP
930
931
932
933
.nf
class "ras-clients" {
}
.fi
Ted Lemon's avatar
Ted Lemon committed
934
.SH SUBCLASSES
935
.PP
Shawn Routhier's avatar
Shawn Routhier committed
936
In addition to classes, it is possible to declare subclasses.  A
937
938
939
940
subclass is a class with the same name as a regular class, but with a
specific submatch expression which is hashed for quick matching.
This is essentially a speed hack - the main difference between five
classes with match expressions and one class with five subclasses is
Shawn Routhier's avatar
Shawn Routhier committed
941
that it will be quicker to find the subclasses.  Subclasses work as
942
943
944
follows:
.PP
.nf
Ted Lemon's avatar
Ted Lemon committed
945
946
class "allocation-class-1" {
  match pick-first-value (option dhcp-client-identifier, hardware);
947
948
}

Ted Lemon's avatar
Ted Lemon committed
949
950
class "allocation-class-2" {
  match pick-first-value (option dhcp-client-identifier, hardware);
951
952
}

Ted Lemon's avatar
Ted Lemon committed
953
954
955
956
957
958
subclass "allocation-class-1" 1:8:0:2b:4c:39:ad;
subclass "allocation-class-2" 1:8:0:2b:a9:cc:e3;
subclass "allocation-class-1" 1:0:0:c4:aa:29:44;

subnet 10.0.0.0 netmask 255.255.255.0 {
  pool {
Ted Lemon's avatar
Ted Lemon committed
959
    allow members of "allocation-class-1";
Ted Lemon's avatar
Ted Lemon committed
960
961
962
    range 10.0.0.11 10.0.0.50;
  }
  pool {
Ted Lemon's avatar
Ted Lemon committed
963
    allow members of "allocation-class-2";
Ted Lemon's avatar
Ted Lemon committed
964
965
966
967
968
969
970
971
    range 10.0.0.51 10.0.0.100;
  }
}
.fi
.PP
The data following the class name in the subclass declaration is a
constant value to use in matching the match expression for the class.
When class matching is done, the server will evaluate the match
Shawn Routhier's avatar
Shawn Routhier committed
972
expression and then look the result up in the hash table.  If it
Ted Lemon's avatar
Ted Lemon committed
973
974
975
finds a match, the client is considered a member of both the class and
the subclass.
.PP
Shawn Routhier's avatar
Shawn Routhier committed
976
Subclasses can be declared with or without scope.  In the above
Ted Lemon's avatar
Ted Lemon committed
977
978
example, the sole purpose of the subclass is to allow some clients
access to one address pool, while other clients are given access to
Shawn Routhier's avatar
Shawn Routhier committed
979
the other pool, so these subclasses are declared without scopes.  If
Ted Lemon's avatar
Ted Lemon committed
980
981
982
983
984
985
986
987
988
part of the purpose of the subclass were to define different parameter
values for some clients, you might want to declare some subclasses
with scopes.
.PP
In the above example, if you had a single client that needed some
configuration parameters, while most didn't, you might write the
following subclass declaration for that client:
.PP
.nf
989
subclass "allocation-class-2" 1:08:00:2b:a1:11:31 {
Ted Lemon's avatar
Ted Lemon committed
990
991
  option root-path "samsara:/var/diskless/alphapc";
  filename "/tftpboot/netbsd.alphapc-diskless";
992
993
994
}
.fi
.PP
Ted Lemon's avatar
Ted Lemon committed
995
996
997
998
999
In this example, we've used subclassing as a way to control address
allocation on a per-client basis.  However, it's also possible to use
subclassing in ways that are not specific to clients - for example, to
use the value of the vendor-class-identifier option to determine what
values to send in the vendor-encapsulated-options option.  An example
1000
1001
1002
of this is shown under the VENDOR ENCAPSULATED OPTIONS head in the
.B dhcp-options(5)
manual page.
1003
.SH PER-CLASS LIMITS ON DYNAMIC ADDRESS ALLOCATION
1004
1005
.PP
You may specify a limit to the number of clients in a class that can
Shawn Routhier's avatar
Shawn Routhier committed
1006
1007
be assigned leases.  The effect of this will be to make it difficult
for a new client in a class to get an address.  Once a class with
1008
1009
1010
such a limit has reached its limit, the only way a new client in that
class can get a lease is for an existing client to relinquish its
lease, either by letting it expire, or by sending a DHCPRELEASE
Shawn Routhier's avatar
Shawn Routhier committed
1011
packet.  Classes with lease limits are specified as follows:
1012
1013
.PP
.nf
1014
class "limited-1" {
1015
1016
1017
1018
1019
1020
  lease limit 4;
}
.fi
.PP
This will produce a class in which a maximum of four members may hold
a lease at one time.
Ted Lemon's avatar
Ted Lemon committed
1021
.SH SPAWNING CLASSES
1022
1023
1024
1025
.PP
It is possible to declare a
.I spawning class\fR.
A spawning class is a class that automatically produces subclasses
Shawn Routhier's avatar
Shawn Routhier committed
1026
based on what the client sends.  The reason that spawning classes
1027
were created was to make it possible to create lease-limited classes
Shawn Routhier's avatar
Shawn Routhier committed
1028
on the fly.  The envisioned application is a cable-modem environment
1029
1030
1031
1032
1033
1034
1035
where the ISP wishes to provide clients at a particular site with more
than one IP address, but does not wish to provide such clients with
their own subnet, nor give them an unlimited number of IP addresses
from the network segment to which they are connected.
.PP
Many cable modem head-end systems can be configured to add a Relay
Agent Information option to DHCP packets when relaying them to the
Shawn Routhier's avatar
Shawn Routhier committed
1036
1037
DHCP server.  These systems typically add a circuit ID or remote ID
option that uniquely identifies the customer site.  To take advantage
1038
of this, you can write a class declaration as follows:
Ted Lemon's avatar
Ted Lemon committed
1039
.PP
1040
.nf
1041
class "customer" {
1042
  spawn with option agent.circuit-id;
1043
1044
1045
1046
1047
  lease limit 4;
}
.fi
.PP
Now whenever a request comes in from a customer site, the circuit ID
Shawn Routhier's avatar
Shawn Routhier committed
1048
option will be checked against the class\'s hash table.  If a subclass
1049
is found that matches the circuit ID, the client will be classified in
Shawn Routhier's avatar
Shawn Routhier committed
1050
that subclass and treated accordingly.  If no subclass is found
1051
1052
matching the circuit ID, a new one will be created and logged in the
.B dhcpd.leases
Shawn Routhier's avatar
Shawn Routhier committed
1053
file, and the client will be classified in this new class.  Once the
1054
1055
1056
1057
1058
1059
1060
client has been classified, it will be treated according to the rules
of the class, including, in this case, being subject to the per-site
limit of four leases.
.PP
The use of the subclass spawning mechanism is not restricted to relay
agent options - this particular example is given only because it is a
fairly straightforward one.
1061
1062
1063
1064
.SH COMBINING MATCH, MATCH IF AND SPAWN WITH
.PP
In some cases, it may be useful to use one expression to assign a
client to a particular class, and a second expression to put it into a
Shawn Routhier's avatar
Shawn Routhier committed
1065
subclass of that class.  This can be done by combining the \fBmatch
1066
if\fR and \fBspawn with\fR statements, or the \fBmatch if\fR and
Shawn Routhier's avatar
Shawn Routhier committed
1067
\fBmatch\fR statements.  For example:
1068
1069
1070
1071
1072
1073
1074
1075
1076
.PP
.nf
class "jr-cable-modems" {
  match if option dhcp-vendor-identifier = "jrcm";
  spawn with option agent.circuit-id;
  lease limit 4;
}

class "dv-dsl-modems" {
Jeremy Reed's avatar
Jeremy Reed committed
1077
  match if option dhcp-vendor-identifier = "dvdsl";
1078
1079
1080
1081
1082
1083
1084
1085
  spawn with option agent.circuit-id;
  lease limit 16;
}
.fi
.PP
This allows you to have two classes that both have the same \fBspawn
with\fR expression without getting the clients in the two classes
confused with each other.
1086
1087
1088
1089
1090
1091
.SH DYNAMIC DNS UPDATES
.PP
The DHCP server has the ability to dynamically update the Domain Name
System.  Within the configuration files, you can define how you want
the Domain Name System to be updated.  These updates are RFC 2136
compliant so any DNS server supporting RFC 2136 should be able to
Ted Lemon's avatar
Ted Lemon committed
1092
accept updates from the DHCP server.
1093
.PP
Shawn Routhier's avatar
Shawn Routhier committed
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
There are two DNS schemes implemented.  The interim option is
based on draft revisions of the DDNS documents while the standard
option is based on the RFCs for DHCP-DNS interaction and DHCIDs.
A third option, ad-hoc, was deprecated and has now been removed
from the code base.  The DHCP server must be configured to use
one of the two currently-supported methods, or not to do DNS updates.
.PP
New installations should use the standard option. Older
installations may want to continue using the interim option for
backwards compatibility with the DNS database until the database
can be updated.  This can be done with the
1105
1106
.I ddns-update-style
configuration parameter.
Shawn Routhier's avatar
Shawn Routhier committed
1107
1108
1109
1110
1111
.SH THE DNS UPDATE SCHEME
the interim and standard DNS update schemes operate mostly according
to work from the IETF.  The interim version was based on the drafts
in progress at the time while the standard is based on the completed
RFCs.  The standard RFCs are:
Shawn Routhier's avatar
Shawn Routhier committed
1112
1113
1114
1115
1116
1117
1118
1119
1120
.PP
.nf
.ce 3
RFC 4701 (updated by RF5494)
RFC 4702
RFC 4703
.fi
.PP
And the corresponding drafts were:
1121
1122
1123
1124
.PP
.nf
.ce 3
draft-ietf-dnsext-dhcid-rr-??.txt
Shawn Routhier's avatar
Shawn Routhier committed
1125
1126
draft-ietf-dhc-fqdn-option-??.txt
draft-ietf-dhc-ddns-resolution-??.txt
1127
1128
.fi
.PP
Shawn Routhier's avatar
Shawn Routhier committed
1129
1130
1131
1132
1133
The basic framework for the two schemes is similar with the main
material difference being that a DHCID RR is used in the standard
version while the interim versions uses a TXT RR.  The format
of the TXT record bears a resemblance to the DHCID RR but it is not
equivalent (MD5 vs SHA2, field length differences etc).
1134
.PP
Shawn Routhier's avatar
Shawn Routhier committed
1135
In these two schemes the DHCP server does not necessarily
Shawn Routhier's avatar
Shawn Routhier committed
1136
always update both the A and the PTR records.  The FQDN option
1137
includes a flag which, when sent by the client, indicates that the
Shawn Routhier's avatar
Shawn Routhier committed
1138
client wishes to update its own A record.  In that case, the server
Shawn Routhier's avatar
Shawn Routhier committed
1139
can be configured either to honor the client\'s intentions or ignore
Shawn Routhier's avatar
Shawn Routhier committed
1140
1141
them.  This is done with the statement \fIallow client-updates;\fR or
the statement \fIignore client-updates;\fR.  By default, client
1142
1143
updates are allowed.
.PP
1144
1145
1146
If the server is configured to allow client updates, then if the
client sends a fully-qualified domain name in the FQDN option, the
server will use that name the client sent in the FQDN option to update
Shawn Routhier's avatar
Shawn Routhier committed
1147
1148
1149
1150
1151
the PTR record.  For example, let us say that the client is a visitor
from the "radish.org" domain, whose hostname is "jschmoe".  The
server is for the "example.org" domain.  The DHCP client indicates in
the FQDN option that its FQDN is "jschmoe.radish.org.".  It also
indicates that it wants to update its own A record.  The DHCP server
1152
1153
therefore does not attempt to set up an A record for the client, but
does set up a PTR record for the IP address that it assigns the
Shawn Routhier's avatar
Shawn Routhier committed
1154
client, pointing at jschmoe.radish.org.  Once the DHCP client has an
1155
1156
IP address, it can update its own A record, assuming that the
"radish.org" DNS server will allow it to do so.
1157
1158
.PP
If the server is configured not to allow client updates, or if the
Shawn Routhier's avatar
Shawn Routhier committed
1159
client doesn\'t want to do its own update, the server will simply
1160
1161
1162
1163
1164
1165
1166
1167
choose a name for the client. By default, the server will choose
from the following three values:
.PP
     1. \fBfqdn\fR option (if present)
     2. hostname option (if present)
     3. Configured hostname option (if defined).
.PP
If these defaults for choosing the host name are not appropriate
1168
you can write your own statement to set the ddns-hostname variable
1169
1170
1171
1172
1173
1174
1175
1176
as you wish.  If none of the above are found the server will use
the host declaration name (if one) and use-host-decl-names is on.
.PP
It will use its own domain name for the client.  It will then update
both the A and PTR record, using the name that it chose for the client.
If the client sends a fully-qualified domain name in the \fBfqdn\fR option,
the server uses only the leftmost part of the domain name - in the example
above, "jschmoe" instead of "jschmoe.radish.org".
1177
.PP
1178
1179
1180
1181
1182
1183
Further, if the \fIignore client-updates;\fR directive is used, then
the server will in addition send a response in the DHCP packet, using
the FQDN Option, that implies to the client that it should perform its
own updates if it chooses to do so.  With \fIdeny client-updates;\fR, a
response is sent which indicates the client may not perform updates.
.PP
1184
Both the standard and interim options also include a method to
Shawn Routhier's avatar
Shawn Routhier committed
1185
1186
1187
1188
allow more than one DHCP server to update the DNS database without
accidentally deleting A records that shouldn\'t be deleted nor failing
to add A records that should be added.  For the standard option the
method works as follows:
1189
1190
.PP
When the DHCP server issues a client a new lease, it creates a text
Shawn Routhier's avatar
Shawn Routhier committed
1191
1192
1193
string that is an SHA hash over the DHCP client\'s identification (see
RFCs 4701 & 4702 for details).  The update attempts to add an A
record with the name the server chose and a DHCID record containing the
Shawn Routhier's avatar
Shawn Routhier committed
1194
hashed identifier string (hashid).  If this update succeeds, the
1195
1196
1197
1198
server is done.
.PP
If the update fails because the A record already exists, then the DHCP
server attempts to add the A record with the prerequisite that there
Shawn Routhier's avatar
Shawn Routhier committed
1199
1200
must be a DHCID record in the same name as the new A record, and that
DHCID record\'s contents must be equal to hashid.  If this update
Shawn Routhier's avatar
Shawn Routhier committed
1201
succeeds, then the client has its A record and PTR record.  If it
1202