本文的目的是简化使用Microsoft Windows Server 2016/2019的VXLAN BGP EVPN和DFA工厂的DHCP服务的配置。在官方文档中,出厂前基于Microsoft Windows Server 2012的DHCP服务配置为SuperScope,其中包含回送池(在此池中,重点是从池中排除该池的所有IP地址(排除的IP地址=池))和真实网络的IP地址发布池(这是亮点-配置了策略-在其中过滤了DHCP中继电路ID,此DHCP中继电路ID包含网络的VNI,也就是说,对于另一个池,此DHCP中继电路ID会略有不同)。To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.
本文回答以下问题:介绍
本部分简要列出所有初始数据:思科文档中提供了有关设置网络设备的说明,eVPN工厂中DHCP数据包中使用的RFC以及Microsoft Windows Server 2012上DHCP服务器设置的演变,以供参考。以及Microsoft Windows Server服务器上DHCP服务中有关Superscope和策略的简要信息。如何在DFA工厂的VXLAN BGP EVPN中配置DHCP中继
在VXLAN BGP工厂EVPN中配置DHCP中继不是本文的主题,因为它非常简单。我提供了文档链接和扰流器,用于网络设备上的设置。Nexus 9000V v9.2(3)上的DHCP中继设置示例service dhcp
ip dhcp relay
ip dhcp relay information option
ip dhcp relay information option vpn
interface loopback10
vrf member VRF1
ip address 10.120.0.1/32 tag 1234567
interface Vlan12
no shutdown
vrf member VRF1
no ip redirects
ip address 10.120.251.1/24 tag 1234567
no ipv6 redirects
fabric forwarding mode anycast-gateway
ip dhcp relay address 10.0.0.5
ip dhcp relay source-interface loopback10
在VXLAN BGP EVPN工厂中的DHCP中继服务的操作中实现的RFC
RFC#6607: Sub-option 151(0x97) - Virtual Subnet Selection• Sub-option 151(0x97) - Virtual Subnet Selection (Defined in RFC#6607)
Used to convey VRF related information to the DHCP server in an MPLS-VPN and VXLAN EVPN multi-tenant environment.
«» VRF .
RFC#5107: Sub-option 11(0xb) - Server ID Override• Sub-option 11(0xb) - Server ID Override (Defined in RFC#5107.)
The server identifier (server ID) override sub-option allows the DHCP relay agent to specify a new value for the server ID option, which is inserted by the DHCP server in the reply packet. This sub-option allows the DHCP relay agent to act as the actual DHCP server such that the renew requests will come to the relay agent rather than the DHCP server directly. The server ID override sub-option contains the incoming interface IP address, which is the IP address on the relay agent that is accessible from the client. Using this information, the DHCP client sends all renew and release request packets to the relay agent. The relay agent adds all of the appropriate sub-options and then forwards the renew and release request packets to the original DHCP server. For this function, Cisco’s proprietary implementation is sub-option 152(0x98). You can use the ip dhcp relay sub-option type cisco command to manage the function.
, IP . ( Cisco VXLAN BGP EVPN – Anycast .)
RFC#3527: Sub-option 5(0x5) - Link SelectionSub-option 5(0x5) - Link Selection (Defined in RFC#3527.)
The link selection sub-option provides a mechanism to separate the subnet/link on which the DHCP client resides from the gateway address (giaddr), which can be used to communicate with the relay agent by the DHCP server. The relay agent will set the sub-option to the correct subscriber subnet and the DHCP server will use that value to assign an IP address rather than the giaddr value. The relay agent will set the giaddr to its own IP address so that DHCP messages are able to be forwarded over the network. For this function, Cisco’s proprietary implementation is sub-option 150(0x96). You can use the ip dhcp relay sub-option type ciscocommand to manage the function.
, IP .
Cisco DHCP Microsoft Windows Server 2012
我之所以介绍此部分,是因为该厂商有积极的发展趋势:Nexus 9000 VXLAN配置指南7.3该文档仅包含网络设备上的DHCP中继设置。另一篇文章用于在Windows Server 2012上配置DHCP:配置Microsoft Windows Server 2012以在eVPN场景(VXLAN,Cisco One Fabric等)中提供DHCP服务本文指出每个网络/ VNI需要自己的SuperScope捆绑包和自己的自己的环回地址集:If multiple DHCP Scopes are required for multiple subnets, you need to create one LoopbackX per subnet/vlan on all LEAFS and create a superscope with a loopbackX range scope and actual client IP subnet scope per vlan.
Nexus 9000 VXLAN配置指南9.3在配置网络设备的文档中添加了Windows 2012 Server设置。对于所有使用的地址池,每个数据中心都需要一个SuperScope,而该SuperScope是数据中心的边界:Create Superscope for all scopes you want to use for Option 82-based policies.
Note
The Superscope should combine all scopes and act as the administrative boundary.
思科动态光纤阵列自动化非常全面地讨论了所有内容:Let us assume the switch is using the address from subnet B (it can be the backbone subnet, management subnet, or any customer designated subnet for this purpose) to communicate with the Windows DHCP server. In DFA we have subnets S1, S2, S3, …, Sn for segment s1, s2, s3, …, sn.
To configure DHCP on Windows server.
1. Create a super scope. Within the super scope, create scope B, S1, S2, S3, …, Sn for the subnet B and the subnets for each segment.
2. In scope B, specify the 'Exclusion Range' to be the entire address range (so that the offered address range must not be from this scope).
3. For every segment scope Si, specify a policy that matches on Agent Circuit ID with value of '0108000600XXXXXX', where '0108000600' is a fixed value for all segments, the 6 numbers "XXXXXX" is the segment ID value in hexadecimal. Also ensure to check the Append wildcard(*) check box.
4. Set the policy address range to the entire range of the scope.
Microsoft Windows Server上的DHCP(超级作用域和策略)
Superscope is an administrative feature of a DHCP server that can be used to group multiple scopes as a single administrative entity. Superscope allows a DHCP server to provide leases from more than one scope to clients on a single physical network. Scopes added to a superscope are called member scopes.
什么是SuperScope?此功能使您可以将多个IP地址池合并到一个管理单元中。向来自多个池的同一物理网络(在一个VLAN中)的用户通告IP地址。如果请求是作为SuperScope的一部分到达地址池的,则可以从此SuperScope中包含的另一个Scope向客户端发出地址。The DHCP Server role in Windows Server 2012 introduces a new feature that allows you to create IPv4 policies that specify custom IP address and option assignments for DHCP clients based on a set of conditions.
The policy based assignment (PBA) feature allows you to group DHCP clients by specific attributes based on fields contained in the DHCP client request packet. PBA enables targeted administration and greater control of the configuration parameters delivered to network devices with DHCP.
策略-允许用户根据用户类型或参数分配IP地址。思科工程师使用Windows Server 2012中的策略按VNI(虚拟网络标识符)进行过滤。主要部分
在本节中,将进行研究结果,不支持该研究的原因,其工作原理(逻辑),新功能以及新功能将如何帮助我们。为什么不支持Microsoft Windows Server 2000/2003/2008?
Microsoft Windows Server 2008和更早版本不处理选项82(选项82),并且不带选项82发送返回数据包。Option82的Win2k8 R2 DHCP问题- 来自客户端的请求被发送到广播(DHCP发现)。
- 设备(Nexus)将数据包发送到DHCP服务器(DHCP Discover + Option 82)。
- DHCP服务器接受该数据包,对其进行处理,然后将其发送回去,但不带选项82。(DHCP提供-不带选项82)
- 设备(Nexus)从DHCP服务器接收数据包。(DHCP提供)但不将此数据包发送给最终用户。
嗅探器数据-在Windows Server 2008和DHCP客户端上Windows Server 2008 . (Option 82 )
Windows Server 2008 . (Option 82 )
– DHCP Discover DHCP Offer
:
NEXUS-9000V-SW-1# show ip dhcp relay statistics
----------------------------------------------------------------------
Message Type Rx Tx Drops
----------------------------------------------------------------------
Discover 8 8 0
Offer 8 8 0
Request(*) 0 0 0
Ack 0 0 0
Release(*) 0 0 0
Decline 0 0 0
Inform(*) 0 0 0
Nack 0 0 0
----------------------------------------------------------------------
Total 16 16 0
----------------------------------------------------------------------
DHCP L3 FWD:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
Non DHCP:
Total Packets Received : 0
Total Packets Forwarded : 0
Total Packets Dropped : 0
DROP:
DHCP Relay not enabled : 0
Invalid DHCP message type : 0
Interface error : 0
Tx failure towards server : 0
Tx failure towards client : 0
Unknown output interface : 0
Unknown vrf or interface for server : 0
Max hops exceeded : 0
Option 82 validation failed : 0
Packet Malformed : 0
Relay Trusted port not configured : 0
DHCP Request dropped on MCT : 0
* - These counters will show correct value when switch
receives DHCP request packet with destination ip as broadcast
address. If request is unicast it will be HW switched
NEXUS-9000V-SW-1#
为什么Microsoft Windows Server 2012中的配置如此复杂?
在Microsoft Windows Server 2012中,尚不支持RFC#3527(选项82子选项5(0x5)-链接选择),但是该策略功能已实现。怎么运行的:- Microsoft Windows Server 2012具有一个超级池(SuperScope),其中有用于实际网络的回送地址和池。
- 发出IP地址的池的选择属于SuperScope,因为响应来自DHCP中继,该中继来自SuperScope包含的源回送地址。
- 它使用策略请求从Superscope中选择成员范围,该成员范围的VNI包含在选项82子选项1代理电路ID中。(“ 0108000600” + 24个VNI位+ 24位,其值我不知道,但嗅探器在此字段中显示值0。)
在Microsoft Windows Server 2016/2019中进行设置有多容易?
Microsoft Windows Server 2016实现RFC#3527功能。也就是说,Windows Server 2016可以从选项82子选项5(0x5)属性识别正确的网络-马上出现链接选择3问题:- 没有Superscope,我们可以做吗?
- 我们可以不使用Policy并将VNI转换为十六进制形式吗?
- 没有环回DHCP源地址的范围,我们可以做吗?
问:没有Superscope,我们可以做吗?答:是的,可以在IPv4地址范围内立即创建范围。问:我们可以不使用Policy并将VNI转换为十六进制形式吗?答:是的,网络选择基于选项82子选项0x5,问:我们可以不使用环回DHCP源地址范围吗?答:不,我们不能。由于Microsoft Windows Server 2016/2019具有针对恶意DHCP请求的保护。也就是说,来自不在DHCP服务器池中的地址的所有请求都被认为是恶意的。DHCP子网选择选项 Note
All relay agent IP addresses (GIADDR) must be part of an active DHCP scope IP address range. Any GIADDR outside of the DHCP scope IP address ranges is considered a rogue relay and Windows DHCP Server will not acknowledge DHCP client requests from those relay agents.
A special scope can be created to "authorize" relay agents. Create a scope with the GIADDR (or multiple if the GIADDR's are sequential IP addresses), exclude the GIADDR address(es) from distribution, and then activate the scope. This will authorize the relay agents while preventing the GIADDR addresses from being assigned.
那些。要在Microsoft Windows Server 2016/2019 DHCP池上为VXLAN BGP EVPN工厂配置DHCP池,您只需要:不需要什么(但是您可以对其进行配置,并且它将起作用,并且不会干扰工作):例DHCP ( 2 DHCP — VXLAN )
:
( — ):
Source DHCP Relay ( ):
在Microsoft Windows Server 2019上配置DHCP服务Loopback (source) DHCP Relay.
(Scope) IPv4.
. «Next >»
(Description) .
IP Loopback .
. .
. «Next >»
: DHCP (DNS, WINS, Gateway, Domain) . , . .
, , . «Finish»
. — Scope — «Activate».
/.
.
. «Next >»
(Description) .
IP Loopback .
. ( ) «Next >»
. «Next >»
: DHCP (DNS, WINS, Gateway, Domain) . .
.
DNS .
IP WINS .
Scope.
. «Finish»
结论
使用Windows Server 2016/2019可以降低为VXLAN工厂(或任何其他工厂)配置DHCP服务器的复杂性。(不需要转让IT专家专用捆绑包:用于开具过滤器的网络/代理电路ID。)Windows Server 2012的配置是否可以在新服务器2016/2019上使用-使其正常工作。本文档提供了两个版本的链接:7.X和9.3。这是由于以下事实:思科建议版本为7.0(3)I7(7),而版本9.3是最具创新性的(直到通过VXLAN多站点支持多播)。来源清单
- Nexus 9000 VXLAN配置指南7.x
- Nexus 9000 VXLAN配置指南9.3
- DFA(思科动态光纤网自动化)
- 配置Microsoft Windows Server 2012以在eVPN方案(VXLAN,Cisco One Fabric等)中提供DHCP服务
- 3.4 DHCP超级作用域
- DHCP策略介绍
- 使用Option82的Win2k8 R2 DHCP问题
- DHCP子网选择选项