265 lines
12 KiB
HTML
265 lines
12 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Subnetting your local network with DHCP LG #83</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue83/ward.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<TABLE BORDER><TR><TD WIDTH="200">
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png"
|
|
WIDTH="200" HEIGHT="41" border="0"></A>
|
|
<BR CLEAR="all">
|
|
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
|
|
</TD><TD WIDTH="380">
|
|
|
|
|
|
<center>
|
|
<BIG><BIG><STRONG><FONT COLOR="maroon">Subnetting your local network with DHCP</FONT></STRONG></BIG></BIG><BR>
|
|
<STRONG>By <A HREF="../authors/ward.html">Alan Ward</A></STRONG></BIG>
|
|
|
|
</TD></TR>
|
|
</TABLE>
|
|
<P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<p><b>Why subnet?</b></p>
|
|
|
|
<p>As hardware prices go down and local networks grow larger, a new size of
|
|
local network is becoming common: the size in between the small office
|
|
(5-10 hosts) and the large corporate building-sized LAN (more than 50 hosts).</p>
|
|
|
|
<p>With less than 10 hosts, it is generally easy to manage the network:
|
|
all hosts get on to the same Ethernet segment, and security -- if necessary --
|
|
is implemented at host level: passwords and such. With more than 50
|
|
hosts, you can generally obtain funding for managed switches than can
|
|
define virtual networks (VLANs). The Accounting Department will go on
|
|
one VLAN, Production on another and so forth. Every host will have access
|
|
to other hosts in its VLAN and to the company servers, but not across
|
|
VLANs. Security is managed at both host and network levels.</p>
|
|
|
|
<p>On middlish-sized local networks however, we often must put all hosts
|
|
on the same segment once more. Recent cheap LAN switches are capable of
|
|
handling traffic between up to 50 hosts easily. However, switches with
|
|
VLAN capability are much more expensive. Well-known brands are selling for
|
|
upwards of US $1200 for a 24-port switch, which may be worth it -- but is
|
|
completely out of many budgets. Mine for one.</p>
|
|
|
|
<p><b>DHCP and subnetworks</b></p>
|
|
|
|
<p>One of the local networks I administer in the school I work in
|
|
is a long string of non-managed Ethernet switches. This is basically because
|
|
of how the building was initially drawn up. On this, I must handle traffic
|
|
from several different types of host; to simplify let's say I have
|
|
teacher-level traffic (group A) and student-level traffic (group B).
|
|
These must not mix: I do not want people from each group accessing the
|
|
other group's files or
|
|
printers (passwords tend to be weaker than I would like).</p>
|
|
|
|
<p>The simplest way to separate the groups at logical level is to give
|
|
each group a different IP network address. For example, group A gets
|
|
addresses on network 192.168.10.0 (e.g. 192.168.10.12), while group B
|
|
get addresses on network 192.168.20.0 (e.g. 192.168.20.34). Servers
|
|
that are present on both must have an address on each network.</p>
|
|
|
|
<p align=center><img src="misc/ward/map.jpg"><br>
|
|
<i>Our network topology</i></p>
|
|
|
|
<p>A DHCP server is a good way of doing this. This is the service you
|
|
access when using a dial-up Internet connection: you connect to
|
|
your ISP, who assigns you a temporary public IP address. Most Linux
|
|
distributions include a DHCP server, which can also be used on a
|
|
local network.</p>
|
|
|
|
<p>Initially, you can give the DHCP server a range of IP addresses
|
|
to distribute: for example 192.168.1.100 to 192.168.1.199. Any host
|
|
that starts up and asks for an address will get one of these. After the
|
|
host is switched back off, the address will be liberated and can be
|
|
re-used on another host if needed.</p>
|
|
|
|
<p>But Ethernet cards all carry a unique identification number, called
|
|
a MAC address. This is a 12-digit hexadecimal number that is assigned
|
|
by the manufacturer, and that is guaranteed to be different from any
|
|
other Ethernet card, anywhere in the world. A DHCP server can be configured
|
|
to use this MAC address to always assign the same IP address to the host.</p>
|
|
|
|
<p>Using this, we can make a list of the MAC addresses of the hosts in
|
|
our group A, and make DHCP serve them fixed IP addresses on the 192.168.10.0
|
|
subnet. The MAC addresses of hosts in group B are served addresses on
|
|
the 192.168.20.0 subnet, and hosts that are not on either list (visitors'
|
|
laptops, for example) get an address on subnet 192.168.1.0 .
|
|
|
|
<p>DHCP has an advantage over VLANs in this respect: VLANs are defined
|
|
for physical network ports, while DHCP uses card addresses. With a VLAN,
|
|
if you physically change your computer's network connection -- as in
|
|
moving from one room to another -- you may also change its VLAN. With
|
|
DHCP however, its subnet assignation will remain the same.</p>
|
|
|
|
<p><b>Setting up DHCP</b></p>
|
|
|
|
<p>On most Linux distributions, the DHCP server is called dhcpd, and
|
|
is started with the standard scripts (the same as httpd, postfix, ...).
|
|
It can be found in RPM form, as for example in <u>dhcp-3.0-3mdk.i386.rpm</u>.
|
|
If you already have it installed on your system, try the dhcpd and
|
|
dhcpd.conf man pages.</p>
|
|
|
|
<p>To begin, I used the webmin utility to set up a basic subnet DHCP
|
|
service. Notice that this service has to be on network 192.168.0.0
|
|
with netmask 255.255.0.0 . This is because it must be accessible
|
|
from al subnets.</p>
|
|
|
|
<p align=center><img src="misc/ward/main.jpg"><br></p>
|
|
|
|
<p>I then set up each specific host, specifying it's name, hardware
|
|
MAC address and the IP address I want to serve to it. Note the
|
|
IP address, now on subnet 192.168.10.0 .</p>
|
|
|
|
<p align=center><img src="misc/ward/client.jpg"><br></p>
|
|
|
|
<p>To obtain the Ethernet MAC address, most cards have it printed
|
|
on a label sticking to the card. It yours does not, you can skip this
|
|
step for the moment. Finish setting up the DHCP service and fire up
|
|
the hosts one by one. As each host obtains an IP address (on subnet
|
|
192.168.1.0 for the time being), you will see it appear in file
|
|
<u>/var/lib/dhcp/dhcpd.leases</u>. For example: </p>
|
|
|
|
<p><pre>
|
|
lease 192.168.1.198 {
|
|
hardware ethernet 00:00:b4:38:cf:6a;
|
|
client-hostname "bis";
|
|
}
|
|
</pre></p>
|
|
|
|
<p>Please note that <strong>only</strong> addresses obtained from
|
|
the general subnet will appear here; not when you have given a
|
|
host a fixed address.</p>
|
|
|
|
<p>Finish setting up the fixed addresses for hosts on the DHCP server.</p>
|
|
|
|
<p>Start or restart the DHCP server. Hosts should now be obtaining
|
|
their assigned IP addresses. You can see this on a Linux host with
|
|
the <u>ifconfig</u> utility. On a Windows box, you can use <u>winipcfg</u>
|
|
under Win95/98/ME, or <u>ipconfig</u> (in a terminal window) under WinNT/2k.</p>
|
|
|
|
<p>But network masks should now still be the default 255.255.0.0 . This is
|
|
not good, as hosts on subnets 192.168.10.0 and 192.168.20.0 can see each
|
|
others (try a ping). We should now go to each host definition for dhcpd,
|
|
and in the "edit client options" set its subnet mask as 255.255.255.0 and
|
|
its default router to 192.168.X.1 for subnet 192.168.X.0 . For example,
|
|
on subnet 192.168.10.0:</p>
|
|
|
|
<p align=center><img src="misc/ward/client1.jpg"><br></p>
|
|
|
|
<p>Remember to also set the network mask to 255.255.255.0 for the
|
|
general 192.168.0.0 subnet client options.
|
|
|
|
<p>You can edit the <u>/etc/dhcpd.conf</u> file by hand. It may even
|
|
be more clear than the webmin interface. This is what you could have:</p>
|
|
|
|
<p><pre>
|
|
#
|
|
# main subnet, accessed by default by hosts we do not know
|
|
#
|
|
subnet 192.168.0.0 netmask 255.255.0.0 {
|
|
option subnet-mask 255.255.255.0;
|
|
option routers 192.168.1.1;
|
|
range 192.168.1.101 192.168.1.199;
|
|
}
|
|
|
|
#
|
|
# host definition, one for each known host on our LAN
|
|
#
|
|
host bis {
|
|
option subnet-mask 255.255.255.0;
|
|
option routers 192.168.10.1;
|
|
hardware ethernet 00:00:b4:38:cf:6a; # 12-digit hex MAC address
|
|
fixed-address 192.168.10.34;
|
|
}
|
|
|
|
</pre></p>
|
|
|
|
<p><b>Making the server accessible</b></p>
|
|
|
|
<p>In the above example, we made 192.168.X.1 the default router for each
|
|
subnet 192.168.X.0 . But for the time being, our server has IP address
|
|
192.168.1.1 -- which means that:<br>
|
|
|
|
<ul><li>hosts on subnet 192.168.10.0 will try to
|
|
obtain an IP address</li>
|
|
<li>they will obtain such an address from server 192.168.1.1</li>
|
|
<li>this address will be on subnet 192.168.10.0, netmask 255.255.255.0</li>
|
|
<li>they are now unable to contact server 192.168.1.1 <strong>which is
|
|
on another subnet!!!</strong></li>
|
|
</ul></p>
|
|
|
|
<p>This is why our server must have an extra IP address for each
|
|
subnet: 192.168.10.1, 192.168.20.1, etc. This can easily be set up
|
|
by creating virtual network cards eth0:1, eth0:2, etc. with webmin:</p>
|
|
|
|
<p align=center><img src="misc/ward/virtual.jpg"><br></p>
|
|
|
|
<p>You can also create this by hand. On a Mandrake or Red Hat distribution,
|
|
the files are in <u>/etc/sysconfig/network-scripts</u>. You
|
|
should already have a file called <u>ifcfg-eth0</u>. Copy this as
|
|
<u>ifcfg-eth0:1</u>, <u>ifcfg-eth0:2</u>, ... changing the addresses
|
|
and netmasks as appropriate. For example, for eth0:1 :</p>
|
|
|
|
<p><pre>
|
|
BROADCAST=192.168.10.0
|
|
DEVICE=eth0:1
|
|
NETMASK=255.255.255.0
|
|
IPADDR=192.168.10.1
|
|
NETWORK=192.168.10.0
|
|
ONBOOT=yes
|
|
BOOTPROTO=none
|
|
</pre></p>
|
|
|
|
<p>This is basically all you need. You may now have to enable routing on the
|
|
server, for example if you
|
|
are using it to access Internet. But be careful to disable routing between
|
|
local subnets; 192.168.X.0 should not be able to see 192.168.Y.0 . Use
|
|
a firewalling package such as iptables to block this. You can also use
|
|
this to block or allow Internet access from any or all subnets if you wish.</p>
|
|
|
|
<hr>
|
|
|
|
<p>PS. Should anybody want to translate this article: I wrote it in
|
|
the spirit of the GPL software licence. i.e. you are free (and
|
|
indeed encouraged) to copy, post and translate it -- but please,
|
|
PLEASE, send me notice by email! I like to keep track of translations --
|
|
it's good for the curriculum :-)</p>
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<hr>
|
|
<CENTER><SMALL><STRONG>
|
|
|
|
Copyright © 2002, Alan Ward.
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 83 of <i>Linux Gazette</i>, October 2002</H5>
|
|
</STRONG></SMALL></CENTER>
|
|
<!-- *** END copyright *** -->
|
|
<HR>
|
|
|
|
<!--startcut ==========================================================-->
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue83/ward.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|