LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue83/ward.html

265 lines
12 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Subnetting your local network with DHCP LG #83</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue83/ward.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<!--endcut ============================================================-->
<TABLE BORDER><TR><TD WIDTH="200">
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
WIDTH="200" HEIGHT="41" border="0"></A>
<BR CLEAR="all">
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
</TD><TD WIDTH="380">
<center>
<BIG><BIG><STRONG><FONT COLOR="maroon">Subnetting your local network with DHCP</FONT></STRONG></BIG></BIG><BR>
<STRONG>By <A HREF="../authors/ward.html">Alan Ward</A></STRONG></BIG>
</TD></TR>
</TABLE>
<P>
<!-- END header -->
<p><b>Why subnet?</b></p>
<p>As hardware prices go down and local networks grow larger, a new size of
local network is becoming common: the size in between the small office
(5-10 hosts) and the large corporate building-sized LAN (more than 50 hosts).</p>
<p>With less than 10 hosts, it is generally easy to manage the network:
all hosts get on to the same Ethernet segment, and security -- if necessary --
is implemented at host level: passwords and such. With more than 50
hosts, you can generally obtain funding for managed switches than can
define virtual networks (VLANs). The Accounting Department will go on
one VLAN, Production on another and so forth. Every host will have access
to other hosts in its VLAN and to the company servers, but not across
VLANs. Security is managed at both host and network levels.</p>
<p>On middlish-sized local networks however, we often must put all hosts
on the same segment once more. Recent cheap LAN switches are capable of
handling traffic between up to 50 hosts easily. However, switches with
VLAN capability are much more expensive. Well-known brands are selling for
upwards of US $1200 for a 24-port switch, which may be worth it -- but is
completely out of many budgets. Mine for one.</p>
<p><b>DHCP and subnetworks</b></p>
<p>One of the local networks I administer in the school I work in
is a long string of non-managed Ethernet switches. This is basically because
of how the building was initially drawn up. On this, I must handle traffic
from several different types of host; to simplify let's say I have
teacher-level traffic (group A) and student-level traffic (group B).
These must not mix: I do not want people from each group accessing the
other group's files or
printers (passwords tend to be weaker than I would like).</p>
<p>The simplest way to separate the groups at logical level is to give
each group a different IP network address. For example, group A gets
addresses on network 192.168.10.0 (e.g. 192.168.10.12), while group B
get addresses on network 192.168.20.0 (e.g. 192.168.20.34). Servers
that are present on both must have an address on each network.</p>
<p align=center><img src="misc/ward/map.jpg"><br>
<i>Our network topology</i></p>
<p>A DHCP server is a good way of doing this. This is the service you
access when using a dial-up Internet connection: you connect to
your ISP, who assigns you a temporary public IP address. Most Linux
distributions include a DHCP server, which can also be used on a
local network.</p>
<p>Initially, you can give the DHCP server a range of IP addresses
to distribute: for example 192.168.1.100 to 192.168.1.199. Any host
that starts up and asks for an address will get one of these. After the
host is switched back off, the address will be liberated and can be
re-used on another host if needed.</p>
<p>But Ethernet cards all carry a unique identification number, called
a MAC address. This is a 12-digit hexadecimal number that is assigned
by the manufacturer, and that is guaranteed to be different from any
other Ethernet card, anywhere in the world. A DHCP server can be configured
to use this MAC address to always assign the same IP address to the host.</p>
<p>Using this, we can make a list of the MAC addresses of the hosts in
our group A, and make DHCP serve them fixed IP addresses on the 192.168.10.0
subnet. The MAC addresses of hosts in group B are served addresses on
the 192.168.20.0 subnet, and hosts that are not on either list (visitors'
laptops, for example) get an address on subnet 192.168.1.0 .
<p>DHCP has an advantage over VLANs in this respect: VLANs are defined
for physical network ports, while DHCP uses card addresses. With a VLAN,
if you physically change your computer's network connection -- as in
moving from one room to another -- you may also change its VLAN. With
DHCP however, its subnet assignation will remain the same.</p>
<p><b>Setting up DHCP</b></p>
<p>On most Linux distributions, the DHCP server is called dhcpd, and
is started with the standard scripts (the same as httpd, postfix, ...).
It can be found in RPM form, as for example in <u>dhcp-3.0-3mdk.i386.rpm</u>.
If you already have it installed on your system, try the dhcpd and
dhcpd.conf man pages.</p>
<p>To begin, I used the webmin utility to set up a basic subnet DHCP
service. Notice that this service has to be on network 192.168.0.0
with netmask 255.255.0.0 . This is because it must be accessible
from al subnets.</p>
<p align=center><img src="misc/ward/main.jpg"><br></p>
<p>I then set up each specific host, specifying it's name, hardware
MAC address and the IP address I want to serve to it. Note the
IP address, now on subnet 192.168.10.0 .</p>
<p align=center><img src="misc/ward/client.jpg"><br></p>
<p>To obtain the Ethernet MAC address, most cards have it printed
on a label sticking to the card. It yours does not, you can skip this
step for the moment. Finish setting up the DHCP service and fire up
the hosts one by one. As each host obtains an IP address (on subnet
192.168.1.0 for the time being), you will see it appear in file
<u>/var/lib/dhcp/dhcpd.leases</u>. For example: </p>
<p><pre>
lease 192.168.1.198 {
hardware ethernet 00:00:b4:38:cf:6a;
client-hostname "bis";
}
</pre></p>
<p>Please note that <strong>only</strong> addresses obtained from
the general subnet will appear here; not when you have given a
host a fixed address.</p>
<p>Finish setting up the fixed addresses for hosts on the DHCP server.</p>
<p>Start or restart the DHCP server. Hosts should now be obtaining
their assigned IP addresses. You can see this on a Linux host with
the <u>ifconfig</u> utility. On a Windows box, you can use <u>winipcfg</u>
under Win95/98/ME, or <u>ipconfig</u> (in a terminal window) under WinNT/2k.</p>
<p>But network masks should now still be the default 255.255.0.0 . This is
not good, as hosts on subnets 192.168.10.0 and 192.168.20.0 can see each
others (try a ping). We should now go to each host definition for dhcpd,
and in the "edit client options" set its subnet mask as 255.255.255.0 and
its default router to 192.168.X.1 for subnet 192.168.X.0 . For example,
on subnet 192.168.10.0:</p>
<p align=center><img src="misc/ward/client1.jpg"><br></p>
<p>Remember to also set the network mask to 255.255.255.0 for the
general 192.168.0.0 subnet client options.
<p>You can edit the <u>/etc/dhcpd.conf</u> file by hand. It may even
be more clear than the webmin interface. This is what you could have:</p>
<p><pre>
#
# main subnet, accessed by default by hosts we do not know
#
subnet 192.168.0.0 netmask 255.255.0.0 {
option subnet-mask 255.255.255.0;
option routers 192.168.1.1;
range 192.168.1.101 192.168.1.199;
}
#
# host definition, one for each known host on our LAN
#
host bis {
option subnet-mask 255.255.255.0;
option routers 192.168.10.1;
hardware ethernet 00:00:b4:38:cf:6a; # 12-digit hex MAC address
fixed-address 192.168.10.34;
}
</pre></p>
<p><b>Making the server accessible</b></p>
<p>In the above example, we made 192.168.X.1 the default router for each
subnet 192.168.X.0 . But for the time being, our server has IP address
192.168.1.1 -- which means that:<br>
<ul><li>hosts on subnet 192.168.10.0 will try to
obtain an IP address</li>
<li>they will obtain such an address from server 192.168.1.1</li>
<li>this address will be on subnet 192.168.10.0, netmask 255.255.255.0</li>
<li>they are now unable to contact server 192.168.1.1 <strong>which is
on another subnet!!!</strong></li>
</ul></p>
<p>This is why our server must have an extra IP address for each
subnet: 192.168.10.1, 192.168.20.1, etc. This can easily be set up
by creating virtual network cards eth0:1, eth0:2, etc. with webmin:</p>
<p align=center><img src="misc/ward/virtual.jpg"><br></p>
<p>You can also create this by hand. On a Mandrake or Red Hat distribution,
the files are in <u>/etc/sysconfig/network-scripts</u>. You
should already have a file called <u>ifcfg-eth0</u>. Copy this as
<u>ifcfg-eth0:1</u>, <u>ifcfg-eth0:2</u>, ... changing the addresses
and netmasks as appropriate. For example, for eth0:1 :</p>
<p><pre>
BROADCAST=192.168.10.0
DEVICE=eth0:1
NETMASK=255.255.255.0
IPADDR=192.168.10.1
NETWORK=192.168.10.0
ONBOOT=yes
BOOTPROTO=none
</pre></p>
<p>This is basically all you need. You may now have to enable routing on the
server, for example if you
are using it to access Internet. But be careful to disable routing between
local subnets; 192.168.X.0 should not be able to see 192.168.Y.0 . Use
a firewalling package such as iptables to block this. You can also use
this to block or allow Internet access from any or all subnets if you wish.</p>
<hr>
<p>PS. Should anybody want to translate this article: I wrote it in
the spirit of the GPL software licence. i.e. you are free (and
indeed encouraged) to copy, post and translate it -- but please,
PLEASE, send me notice by email! I like to keep track of translations --
it's good for the curriculum :-)</p>
<!-- *** BEGIN copyright *** -->
<hr>
<CENTER><SMALL><STRONG>
Copyright &copy; 2002, Alan Ward.
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 83 of <i>Linux Gazette</i>, October 2002</H5>
</STRONG></SMALL></CENTER>
<!-- *** END copyright *** -->
<HR>
<!--startcut ==========================================================-->
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue83/ward.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink