LINUX DHCP SERVER 故障转移+典型多子网环境的规划设计
场景:
1.PC机的IP地址范围规划如下:
VLAN ID | PC机的IP地址范围 | 网关 |
---|---|---|
VLAN 10 | 172.16.10.100-172.16.10.200/24 排除172.16 10.150-172.16.10.159 | 172.16.10.254 |
VLAN 100 | 172.16.100.100-172.16.100.200/24 指定分配:172.16 100.68 给打印机 | 172.16.100.254 |
VLAN 200 | 172.16.200.100-172.16.200.200/24 指定分配:172.16 200.68 给打印机 | 172.16.200.254 |
拓扑:
图1
2.需要在VLAN 10 中配置两台DHCP 服务器,其IP地址为:172.16.10.1 、172.16.10.2
3.要为每台PC机指定DNS 服务器地址:内网DNS:172.16.10.1 172.16.10.2 公网DNS:202.96.128.86 、202.96.128.166
4.部门1、2 中有两台打印机,主要是模拟 指定IP地址动态绑定有需求的终端(需要提供MAC地址)。
5.指定排除 不可分配的IP地址,详情参考1中表格类容。
6.测试当一台DHCP 服务器故障后,验证:PC终端网卡信息中 DHCP 服务器 IP地址是否会切换,并且IP地址不变。DNS 是否是指定的。并通讯正常。(图2)
图2
一、部署centos DHCP 主服务器:
1.服务器部署
一、配置静态IP地址
第一步:进入存放修改IP地址的目录: cd /etc/sysconfig/network-scripts/ifcfg-ens33
第二步:修改ip地址的文件:
vim ifcfg-ens32` 或者是: `vim ifcfg-ens33
centos7配置静态ip不生效
(1) 在 /etc/sysconfig/network-scripts/ifcfg-ens33 文件配置静态IP
(2)查看了资料后发现原因很简单,就是我们没有关闭网络管理器NetwokManager,如下,关闭后就可以让我们配置的静态IP生效了。
systemctl stop NetworkManager systemctl disable NetworkManager systemctl network restart
DNS服务器的参数可以在网卡的配置文件中设置,也可以在/etc/resolv.conf文件中设置,如下:
#Generated by NetworkManager nameserver 114.114.114.114 nameserver 1.2.4.8
网络正常,可以继续后续的步骤
2.DHCP 服务器安装与配置
DHCP服务器组件安装
需要安装的RPM文件
dhcp-4.2.5-68.e17.centos.x86_64.rpm
dhcp-common-4.2.5-68.e17.centos.x86_64.rpm
dhcp-libs-4.2.5-68.e17.centos.x86_64.rpm
安装方法1:
#rpm -ivh dhcp-4.2.5-68.e17.centos.x86_64.rpm
#yum update [dhcp]
会升级到dhcp.x86_64 12:4.2.5-68.e17.centos.1
安装方法2
yum -y install dhcp
因centos 已经停服务,因此需要重新配置更新yum 源
设置centos7的更新源
设置CentOs 7的更新源可以按照以下步骤进行: 1.备份原有的yum源文件:
cp /etc/yum.repos.d/centos-Base,repo /etc/yum.repos.d/centos-Base.repo.bak
2.切换到阿里云的yum源: wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
3.添加EPEL源: wget -p /etc/yum.repos.d/ http://mirrors.aliyun.com/repo/epel-7.repo
查看内核版本
查看全部信息: [zhangsan@localhost ~]$ uname -a Linux localhost.localdomain 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
查看linux内核信息: [zhangsan@localhost ~]$ uname -r 3.10.0-693.el7.x86_64
查看linux版本号: [zhangsan@localhost ~]$ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)
Linux(Centos 7) Minimal 安装后,由于没有预装wget,在使用wget命令去下载安装相关应用时,提示:“wget: command not found”
先在Linux服务器窗口中,输入如下命令,检查Linux服务器有没有安装过wget。
rpm -qa | grep "wget"
。
登录wget官网下载地址,下载最新的wget的rpm安装包到本地 官网地址:http://mirrors.163.com/centos/7/os/x86_64/Packages/
将下载好的wget的rpm安装包通过Xftp工具上传到Linux服务器对应目录下。 如我们在/usr/local目录下手动创建一个wget文件目录,然后将下载好的wget-1.14-18.el7_6.1.x86_64.rpm通过Xftp工具上传到这个wget目录下
进入上传目录,安装wget
# 进入wget安装目录 cd /usr/local/wget # 安装wget rpm -ivh wget-1.14-18.el7_6.1.x86_64.rpm # 查看wget是否安装 rpm -qa | grep wget
# 查看wget的版本信息 wget -V
设置CentOs 7的更新源可以按照以下步骤进行: 1.备份原有的yum源文件:
cp /etc/yum.repos.d/centos-Base,repo /etc/yum.repos.d/centos-Base.repo.bak
2.切换到阿里云的yum源:
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
3.添加EPEL源: wget -p /etc/yum.repos.d/ http://mirrors.aliyun.com/repo/epel-7.repo
**提示wget 无法解析主机地址,解决办法如下
登录root用户,用vim /etc/resolv.conf ,打开rsolv.conf,添加DNS地址 nameserver 8.8.8.8 nameserver 8.8.4.4 nameserver 223.5.5.5 nameserver 223.6.6.6 (nameserver 223.5.5.5 和 nameserver 223.6.6.6选择其中一个添加即可)
更新镜像源 # 清除缓存 yum clean all # 生成缓存 yum makecache 启动EPEL软件源 yum install epel-release
2.1安装DHCP 服务器组件
需要安装的RPM文件 rdhcp-4.2.5-68.e17.centos.x86 64.rpm dhcp-common-4.2.5-68.e17.centos.x86 64.rpm dhcp-libs-4.2.5-68.el7.centos.x86 64.rpm 安装方法1: #rpm -ivh dhcp-4.2.5-68.el7.centos.x86 64.rpm • #yum update [dhcp] 会升级到 dhcp.x86 64 12:4.2.5-68.el7.centos.1 安装方法2 #yum -y install dhcp 尽量把需要的软件都联网安装好方便后续调用工具 [root@dhcp-1 ~]# yum -y install dhcp ifconfig gcc netsat lsof ftp
当服务器未安装 netstat 工具时,查看端口监听状态会提示如下报错 “command not found”。
# netstat -an|grep 9200 -bash: netstat: command not found
2.2、查看提供命令的工具包
执行如下命令 yum provides */netstat 可以看到提供命令的工具包: net-tools-2.0-0.22.20131004git.el7.x86_64。
# yum provides */netstat Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile updates/1.1/x86_64/filelists_db | 1.1 MB 00:00:00 ctdb-tests-4.7.1-9.el7_5.x86_64 : CTDB clustered database test suite Repo : base Matched from: Filename : /usr/share/ctdb/tests/eventscripts/stubs/netstat net-tools-2.0-0.22.20131004git.el7.x86_64 : Basic networking tools Repo : base Matched from: Filename : /bin/netstat
2.3、安装工具包
执行 yum install net-tools 安装命令。 # yum install net-tools Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package net-tools.x86_64 0:2.0-0.22.20131004git.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =======================================================================================================================================================================
四、验证测试
利用本地监听的端口 9200 验证工具安装是否正常。可以正常使用命令,说明安装正常。
netstat -an|grep 9200 tcp6 0 0 :::9200 :::* LISTEN ————————————————
DHCP 软件安装完后继续
2.5考察配置文件
# rpm -qi dhcp # rpm -qi dhcp-common # rpm -qi dhcp-libs # rpm -qi dhclient 查看rpm 软件包的信息 # rpm -ql dhcp 查看安装dhcp服务器的时候,它向我们系统所拷贝的文件 # rpm -qc dhcp (查看软件包的配置文件) /etc/dhcp/dhcpd.conf *服务器的配置文件 /etc/dhcp/dhcpd6.conf /etc/openldap/schema/dhcp.schema /etc/sysconfig/dhcpd /var/lib/dhcpd/dhcpd.leases *租给客户机的IP地址和mac信息 /var/lib/dhcpd/dhcpd6.leases # more /etc/dhcp/dhcpd.conf *查看默认的配置文件 # man 5 dhcpd.conf *读配置文件的man 帮助 # man 5 dhcpd.conf | grep ^[A-Z]
-------此处可以忽略------------------
查看DHCP 示例:
[root@dhcp-1 ~]# more /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet 10.152.187.0 netmask 255.255.255.0 {
}
# This is a very basic subnet declaration.
subnet 10.254.239.0 netmask 255.255.255.224 {
range 10.254.239.10 10.254.239.20;
option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
subnet 10.254.239.32 netmask 255.255.255.224 {
range dynamic-bootp 10.254.239.40 10.254.239.60;
option broadcast-address 10.254.239.31;
option routers rtr-239-32-1.example.org;
}
# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers ns1.internal.example.org;
option domain-name "internal.example.org";
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
host passacaglia {
hardware ethernet 0:0:c0:5d:bd:95;
filename "vmunix.passacaglia";
server-name "toccata.fugue.com";
}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
host fantasia {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address fantasia.fugue.com;
}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
class "foo" {
match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
}
shared-network 224-29 {
subnet 10.17.224.0 netmask 255.255.255.0 {
option routers rtr-224.example.org;
}
subnet 10.0.29.0 netmask 255.255.255.0 {
option routers rtr-29.example.org;
}
pool {
allow members of "foo";
range 10.17.224.10 10.17.224.250;
}
pool {
deny members of "foo";
range 10.0.29.10 10.0.29.230;
}
}
[root@dhcp-1 ~]#
-------此处可以忽略------------------
2.5时间同步
# all now [root@dhcp-maseter ~]# yum info ftp* [root@dhcp-maseter ~]# yum install -y ftp [root@dhcp-maseter ~]# yum install -y vim [root@dhcp-maseter ~]# cp /etc/chrony.conf /etc/chrony.bak # dhcp-maseter [root@dhcp-maseter ~]# cat /etc/chrony.conf
-----此处忽略------
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp.aliyun.com iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
allow 172.16.10.0/24
# Serve time even if not synchronized to a time source.
#local stratum 10
# Specify file containing keys for NTP authentication.
#keyfile /etc/chrony.keys
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
-----此处忽略------
# dhcp-backup [root@dhcp-backup ~]# cp /etc/chrony.conf /etc/chrony.bak [root@dhcp-backup ~]# cat /etc/chrony.conf
----此处忽略----
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server dhcp-maseter iburst
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
#allow 172.16.10.0/24
# Serve time even if not synchronized to a time source.
#local stratum 10
# Specify file containing keys for NTP authentication.
#keyfile /etc/chrony.keys
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
# all now
----此处忽略----
[root@dhcp-maseter ~]# systemctl restart chronyd [root@dhcp-maseter ~]# systemctl enable chronyd # dhcp-backup检测结果 [root@dhcp-backup ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* dhcp-maseter 3 6 17 7 +16us[ +131us] +/- 24ms
2.6配置DHCP 服务器
配置dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.example
# see dhcpd.conf(5) man page
#
local-address 172.16.10.1;
default-lease-time 691200; # 8 days
max-lease-time 691200;
option domain-name-servers 223.5.5.5,202.96.128.86;
option domain-name "test.local";
#DHCP作用域
subnet 172.16.10.0 netmask 255.255.255.0 {
range 172.16.10.100 172.16.10.149;
range 172.16.10.160 172.16.10.200;
option routers 172.16.10.254;
}
subnet 172.16.100.0 netmask 255.255.255.0 {
range 172.16.100.100 172.16.100.200;
option routers 172.16.100.254;
}
subnet 172.16.200.0 netmask 255.255.255.0 {
range 172.16.200.100 172.16.200.200;
option routers 172.16.200.254;
}
host dayinji01 {
hardware ethernet 08:00:07:26:c0:a5;
fixed-address 172.16.100.68;
}
host dayinji02 {
hardware ethernet 08:00:07:26:c0:b4;
fixed-address 172.16.200.68;
}
2.7
2.7.1查看DHCP 服务状态
[root@dhcp-1 ~]# systemctl start dhcpd #启动dhcp服务 [root@dhcp-1 ~]# systemctl status dhcpd #查看dhcp服务状态 [root@dhcp-1 ~]# ps aux | grep ^dhcpd #查看dhcp进程 [root@dhcp-1 ~]# systemctl enable dhcpd #开启dhcp服务 开机启动 #查看DHCP UDP监听的端口号 [root@dhcp-1 ~]# netstat -upna |grep dhcpd udp 0 0 172.16.10.1:67 0.0.0.0:* 2015/dhcpd
2.7.2查看管理日志
#tail -f /var/log/messages 查看系统管理日志
options 关键字:对应的是分配给DHCP客户机的DHCP选项 不带options 关键字:它控制的是DHCP 服务器自身的行为 options 是有作用范围的。6、7行是作用于全局的。 11、16、21行是针对 subnet 不同subnet 的。
local-address 172.16.10.1; # DHCP服务器仅仅侦听发送给172.16.10.1这个地址的DHCP请求
default-lease-time 691200; # 8 days 指定IP地址的租期以秒为单位。691200 代表8天
max-lease-time 691200; # 不管你客户机有没有设置租期,我都只给你最长租期是8天。
option domain-name-servers 223.5.5.5,202.96.128.86; #为DHCP 客户机设置DNS服务器地址
option domain-name "test.local"; #为DHCP 客户机设置域名
failover peer "dhcp" {
# 是主服务器还是辅助服务器
primary;
#本地监听failover的IP
address 10.18.33.10;
#本地监听failover的端口
port 520;
#secondary服务器的IP
peer address 10.18.33.20;
#secondary服务的监听端口
peer port 519;
#同步信息最大时间延迟
max-response-delay 10;
#在未收到 PARTNER 回复时,BNDUPD 消息的最多重发次数
max-unacked-updates 10;
#Maximum Client Lead Time. 在灾备方案中,该时间延迟保证 PARTNER 上的 IP 租约已经过期。
#该参数只能定义在主服务器中。
mclt 1800;
#主辅服务器的地址分割,通常是各一半
split 128;
#关于负载均衡的参数
load balance max seconds 3;
}
subnet 172.16.10.0 netmask 255.255.255.0 #子网网段
pool{
failover peer ''dhcp''
range 172.16.10.100 172.16.10.149; #可分配地址池范围
range 172.16.10.160 172.16.10.200;
option routers 172.16.10.254; #指定分配网关
deny dynamic bootp clients;
}
subnet 172.16.100.0 netmask 255.255.255.0
pool{
failover peer ''dhcp''
range 172.16.100.100 172.16.100.200;
option routers 172.16.100.254;
deny dynamic bootp clients;
}
subnet 172.16.200.0 netmask 255.255.255.0
pool{
failover peer ''dhcp''
range 172.16.200.100 172.16.200.200;
option routers 172.16.200.254;
deny dynamic bootp clients;
}
host dayinji01 { #声明了一台主机dayinji01
hardware ethernet 08:00:07:26:c0:a5; #指定mac地址和IP地址绑定
fixed-address 172.16.100.68;
option routers 172.16.100.254
option domain-name-servers 223.5.5.5,202.96.128.86
}
host dayinji02 {
hardware ethernet 08:00:07:26:c0:b4;
fixed-address 172.16.200.68;
option routers 172.16.200.254
option domain-name-servers 223.5.5.5,202.96.128.86
}
option ntp-server address 172.16.10.1
命令参考
一、配置服务器ip
1.查看服务器ip
# all now
[root@localhost]# ip a
2.配置服务器ip
# DHCP-maseter
[root@localhost]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=6dfe0ee1-6242-4fe3-b1b4-ad843af8d49c
DEVICE=ens33
ONBOOT=yes
IPADDR=10.18.33.10
NETMASK=255.255.255.0
GATEWAY=10.18.33.254
DNS=8.8.8.8
• # DHCP-backup
[root@localhost]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=6dfe0ee1-6242-4fe3-b1b4-ad843af8d49c
DEVICE=ens33
ONBOOT=yes
IPADDR=10.18.33.20
NETMASK=255.255.255.0
GATEWAY=10.18.33.254
DNS=8.8.8.8
二、修改主机名(使用远程终端链接)
# DHCP-maseter
[root@localhost]# hostnamectl set-hostname DHCP-maseter
[root@localhost]# hostname
[root@localhost]# bash
•
# DHCP-backup
[root@localhost]# hostnamectl set-hostname DHCP-backup
[root@localhost]# hostname
[root@localhost]# bash
三、检查防火墙、selinux状态 # all now(防火墙)
[root@DHCP-maseter]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since 日 2024-04-07 22:24:58 CST; 7h left Docs: man:firewalld(1) Main PID: 812 (firewalld) CGroup: /system.slice/firewalld.service └─812 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid • 4月 07 22:24:58 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall dae..... 4月 07 22:24:58 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. 4月 07 22:24:58 localhost.localdomain firewalld[812]: WARNING: AllowZoneDrifting is enabled...w. Hint: Some lines were ellipsized, use -l to show in full. •
[root@localhost]# systemctl stop firewalld
•
[root@localhost]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. • • # all now(SELinux)
[root@DHCP-maseter]# setenforce 0
•
[root@DHCP-maseter]# cat -n /etc/selinux/config
1 2 # This file controls the state of SELinux on the system. 3 # SELINUX= can take one of these three values: 4 # enforcing - SELinux security policy is enforced. 5 # permissive - SELinux prints warnings instead of enforcing. 6 # disabled - No SELinux policy is loaded. 7 SELINUX=enforcing 8 # SELINUXTYPE= can take one of three values: 9 # targeted - Targeted processes are protected, 10 # minimum - Modification of targeted policy. Only selected processes are protected. 11 # mls - Multi Level Security protection. 12 SELINUXTYPE=targeted 13 14
[root@DHCP-maseter]# sed -i "7s/enforcing/disabled/g" /etc/selinux/config
•
[root@DHCP-maseter]# cat -n /etc/selinux/config
1 2 # This file controls the state of SELinux on the system. 3 # SELINUX= can take one of these three values: 4 # enforcing - SELinux security policy is enforced. 5 # permissive - SELinux prints warnings instead of enforcing. 6 # disabled - No SELinux policy is loaded. 7 SELINUX=disabled 8 # SELINUXTYPE= can take one of three values: 9 # targeted - Targeted processes are protected, 10 # minimum - Modification of targeted policy. Only selected processes are protected. 11 # mls - Multi Level Security protection. 12 SELINUXTYPE=targeted 13 14 四、检测能都ping外网 # all now [root@DHCP-maseter]# ping -c 2 10.18.33.1 PING 10.18.33.1 (10.18.33.1) 56(84) bytes of data. 64 bytes from 10.18.33.1: icmp_seq=1 ttl=64 time=0.359 ms 64 bytes from 10.18.33.1: icmp_seq=2 ttl=64 time=0.323 ms --- 10.18.33.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.323/0.341/0.359/0.018 ms • [root@DHCP-maseter]# ping -c 2 10.18.33.254 PING 10.18.33.254 (10.18.33.254) 56(84) bytes of data. 64 bytes from 10.18.33.254: icmp_seq=1 ttl=128 time=0.353 ms 64 bytes from 10.18.33.254: icmp_seq=2 ttl=128 time=0.208 ms --- 10.18.33.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms • [root@DHCP-maseter]# ping -c 2 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=128 time=267 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=128 time=986 ms --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 267.991/627.284/986.578/359.294 ms • [root@DHCP-maseter]# ping -c 2 baidu.com PING baidu.com (110.242.68.66) 56(84) bytes of data. 64 bytes from 110.242.68.66 (110.242.68.66): icmp_seq=1 ttl=128 time=182 ms 64 bytes from 110.242.68.66 (110.242.68.66): icmp_seq=2 ttl=128 time=301 ms --- baidu.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2191ms rtt min/avg/max/mdev = 182.404/242.190/301.977/59.788 ms 五、建立缓存 # all now [root@dhcp-maseter ~]# yum update • [root@dhcp-maseter ~]# yum clean all && yum makecache && yum repolist 源标识 源名称 状态 base/7/x86_64 CentOS-7 - Base 10,072 extras/7/x86_64 CentOS-7 - Extras 526 updates/7/x86_64 CentOS-7 - Updates 5,802 repolist: 16,400 六、修改本地解析文件 # all now [root@dhcp-maseter ~]# cp /etc/hosts /etc/host.bak • [root@dhcp-maseter ~]# echo "10.18.33.10 dhcp-maseter" >> /etc/hosts [root@dhcp-maseter ~]# echo "10.18.33.20 dhcp-backup" >> /etc/hosts • [root@dhcp-maseter ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.18.33.10 dhcp-maseter 10.18.33.20 dhcp-backup • # 传送给dhcp-backup [root@dhcp-maseter ~]# scp /etc/hosts root@10.18.33.20:/etc/ 七、时间同步 # all now [root@dhcp-maseter ~]# yum info ftp* [root@dhcp-maseter ~]# yum install -y ftp [root@dhcp-maseter ~]# yum install -y vim [root@dhcp-maseter ~]# cp /etc/chrony.conf /etc/chrony.bak # dhcp-maseter [root@dhcp-maseter ~]# cat /etc/chrony.conf # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server ntp.aliyun.com iburst # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC). rtcsync # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. #minsources 2 # Allow NTP client access from local network. allow 10.18.33.0/24 # Serve time even if not synchronized to a time source. #local stratum 10 # Specify file containing keys for NTP authentication. #keyfile /etc/chrony.keys # Specify directory for log files. logdir /var/log/chrony # Select which information is logged. #log measurements statistics tracking # dhcp-backup [root@dhcp-backup ~]# cp /etc/chrony.conf /etc/chrony.bak [root@dhcp-backup ~]# cat /etc/chrony.conf # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server dhcp-maseter iburst # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC). rtcsync # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. #minsources 2 # Allow NTP client access from local network. #allow 10.18.33.0/24 # Serve time even if not synchronized to a time source. #local stratum 10 # Specify file containing keys for NTP authentication. #keyfile /etc/chrony.keys # Specify directory for log files. logdir /var/log/chrony # Select which information is logged. #log measurements statistics tracking # all now [root@dhcp-maseter ~]# systemctl restart chronyd [root@dhcp-maseter ~]# systemctl enable chronyd # dhcp-backup检测结果 [root@dhcp-backup ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address Stratum Poll Reach LastRx Last sample =============================================================================== ^* dhcp-maseter 3 6 17 7 +16us[ +131us] +/- 24ms 八、DHCP文件配置 # all now [root@dhcp-backup ~]# yum install -y dhcp # all now [root@dhcp-maseter ~]# rpm -qa | grep dhcp dhcp-common-4.2.5-83.el7.centos.1.x86_64 dhcp-4.2.5-83.el7.centos.1.x86_64 dhcp-libs-4.2.5-83.el7.centos.1.x86_64 # all now [root@dhcp-maseter ~]# cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.bak # dhcp-maseter [root@dhcp-maseter ~]# cat /etc/dhcp/dhcpd.conf # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page #dhcpd.conf # # Sample configuration file for ISC dhcpd # # dhcp不会自动更新dns服务器 ddns-update-style none; # 默认租约时间。客户机通过DHCP获取IP后,这个IP使用时间是多久。单位秒 default-lease-time 7200; # 最大租约时间。秒 max-lease-time 14400; failover peer "dhcp" { # 是主服务器还是辅助服务器 primary; #本地监听failover的IP address 10.18.33.10; #本地监听failover的端口 port 520; #secondary服务器的IP peer address 10.18.33.20; #secondary服务的监听端口 peer port 519; #同步信息最大时间延迟 max-response-delay 10; #在未收到 PARTNER 回复时,BNDUPD 消息的最多重发次数 max-unacked-updates 10; #Maximum Client Lead Time. 在灾备方案中,该时间延迟保证 PARTNER 上的 IP 租约已经过期。 #该参数只能定义在主服务器中。 mclt 7200; #主辅服务器的地址分割,通常是各一半 split 128; #关于负载均衡的参数 load balance max seconds 3; } #DHCP作用域 subnet 10.18.33.0 netmask 255.255.255.0 { #设置路由器的IP(网关) option routers 10.18.33.254; #DNS option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; # 地址池范围 range 10.18.33.30 10.18.33.240; #failover不支持bootp客户端,必须拒绝 deny dynamic bootp clients; } # #指定MAC地址和IP地址的绑定 # host clevercode{ # hardware ethernet 00:0C:29:DB:6F; # # 保留地址必须是range范围内的 # fixed-address 10.18.33.241; # } } # dhcp-lookup [root@dhcp-backup ~]# cat /etc/dhcp/dhcpd.conf # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # dhcpd.conf # # Sample configuration file for ISC dhcpd # # dhcp会不会自动更新dns服务器 ddns-update-style none; # 默认租约时间。客户机通过DHCP获取IP后,这个IP使用时间是多久。单位秒 default-lease-time 7200; # 最大租约时间。分钟 max-lease-time 14400; failover peer "dhcp" { # 是主服务器还是辅助服务器 secondary; #本地监听failover的IP address 10.18.33.20; #本地监听failover的端口 port 519; #primary服务器的IP peer address 10.18.33.10; #primary服务的监听端口 peer port 520; #同步信息最大时间延迟 max-response-delay 10; #在未收到 PARTNER 回复时,BNDUPD 消息的最多重发次数 max-unacked-updates 10; #关于负载均衡的参数 load balance max seconds 3; } #DHCP作用域 subnet 10.18.33.0 netmask 255.255.255.0 { #设置路由器的IP(网关) option routers 10.18.33.254; #DNS option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; # 地址池范围 range 10.18.33.30 10.18.33.240; #failover不支持bootp客户端,必须拒绝 deny dynamic bootp clients; } # #指定MAC地址和IP地址的绑定 # host clevercode{ # hardware ethernet 00:0C:29:DB:6F; # # 保留地址必须是range范围内的 # fixed-address 172.16.159.101; # } } # all now [root@dhcp-backup ~]# systemctl restart dhcpd [root@dhcp-backup ~]# systemctl enable dhcpd [root@dhcp-backup ~]# systemctl status dhcpd 九、虚拟机获取DHCP命令 # 创建一台新的虚拟机 [root@localhost]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=dhcp DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=6dfe0ee1-6242-4fe3-b1b4-ad843af8d49c DEVICE=ens33 ONBOOT=yes [root@localhost]# systemctl restart network • [root@localhost]# dhclient
2.8 项目中实际DHCP 服务器中使用的DHCP 参数
DHCP-master : 172.16.10.1
# # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page # local-address 172.16.10.1; option domain-name-servers 223.5.5.5,202.96.128.86; option domain-name "test.local"; ddns-update-style none; default-lease-time 7200; max-lease-time 14400; failover peer "dhcp" { primary; address 172.16.10.1; port 520; peer address 172.16.10.2; peer port 519; max-response-delay 10; max-unacked-updates 10; mclt 7200; split 128; load balance max seconds 3; } subnet 172.16.10.0 netmask 255.255.255.0 { option routers 172.16.10.254; option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; range 172.16.10.100 172.16.10.149; range 172.16.10.160 172.16.10.200; deny dynamic bootp clients; } } subnet 172.16.100.0 netmask 255.255.255.0 { option routers 172.16.100.254; option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; range 172.16.100.100 172.16.100.200; deny dynamic bootp clients; } host dayin01{ hardware ethernet 54:89:98:32:02:05; fixed-address 172.16.100.68; option routers 172.16.100.254; option domain-name-servers 223.5.5.5,202.96.128.86; } } subnet 172.16.200.0 netmask 255.255.255.0 { option routers 172.16.200.254; option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; range 172.16.200.100 172.16.200.200; deny dynamic bootp clients; } host dayin02{ hardware ethernet 54:89:98:AB:28:4A; fixed-address 172.16.200.68; option routers 172.16.200.254; option domain-name-servers 223.5.5.5,202.96.128.86; } } option ntp-servers 172.16.10.2;
DHCP-backup : 172.16.10.2
# # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.example # see dhcpd.conf(5) man page local-address 172.16.10.2; option domain-name-servers 223.5.5.5,202.96.128.86; option domain-name "test.local"; ddns-update-style none; default-lease-time 7200; max-lease-time 14400; failover peer "dhcp" { secondary; address 172.16.10.2; port 519; peer address 172.16.10.1; peer port 520; max-response-delay 10; max-unacked-updates 10; load balance max seconds 3; } subnet 172.16.10.0 netmask 255.255.255.0 { option routers 172.16.10.254; option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; range 172.16.10.100 172.16.10.149; range 172.16.10.160 172.16.10.200; deny dynamic bootp clients; } } subnet 172.16.100.0 netmask 255.255.255.0 { option routers 172.16.100.254; option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; range 172.16.100.100 172.16.100.200; deny dynamic bootp clients; } host dayin01{ hardware ethernet 54:89:98:32:02:05; fixed-address 172.16.100.68; option routers 172.16.100.254; option domain-name-servers 223.5.5.5,202.96.128.86; } } subnet 172.16.200.0 netmask 255.255.255.0 { option routers 172.16.200.254; option domain-name-servers 8.8.8.8,114.114.114.114; pool { failover peer "dhcp"; range 172.16.200.100 172.16.200.200; deny dynamic bootp clients; } host dayin02{ hardware ethernet 54:89:98:AB:28:4A; fixed-address 172.16.200.68; option routers 172.16.200.254; option domain-name-servers 223.5.5.5,202.96.128.86; } } option ntp-servers 172.16.10.1;
二、DHCP 中继代理
由网络设备来完成中继,各厂商有差别,但流程相同
启用 SW2、SW3 的DHCP 中继功能
为中继指定DHCP 服务器的IP地址
sys sys sw0 dhcp en dhcp snooping en vlan b 10 100 200 int g0/0/1 p l t p t a v all un p t a v 1 dhcp snooping enable dhcp snooping trusted int g0/0/2 p l t p t a v all un p t a v 1 dhcp snooping enable dhcp snooping trusted int g0/0/3 p l a p d v 10 dhcp snooping enable dhcp snooping trusted int vlanif 10 ip add 172.16.10.254 24 dhcp select relay dhcp relay server:ip 172.16.10.1 dhcp relay server:ip 172.16.10.2 int vlanif 100 ip add 172.16.100.254 24 dhcp select relay dhcp relay server:ip 172.16.10.1 dhcp relay server:ip 172.16.10.2 int vlanif 200 ip add 172.16.200.254 24 dhcp select relay dhcp relay server:ip 172.16.10.1 dhcp relay server:ip 172.16.10.2
sys sys w2 dhcp en dhcp snooping en vlan b 10 100 200 int eth0/0/1 p l t p t a v all un p t a v 1 dhcp snooping enable dhcp snooping trusted int eth0/0/2 p l a p d v 100 dhcp snooping enable int eth0/0/3 p l a p d v 100 dhcp snooping enable
sys sys w3 dhcp en dhcp snooping vlan b 10 100 200 int eth0/0/1 p l t p t a v all un p t a v 1 dhcp snooping enable dhcp snooping trusted int eth0/0/2 p l a p d v 200 dhcp snooping enable int eth0/0/3 p l a p d v 200 dhcp snooping enable
三、为了避免中间人攻击和饿死攻击(需要开启DHCP snooping 功能)
原理:
饿死攻击:黑客发送大量的DHCP 请求,来消耗DHCP服务器的地址。可以瞬间把DHCP服务器中的地址抢完,那正常的用户DHCP请求,就获取不到IP地址,就无法正常网络通讯和工作。
欺骗攻击(也叫中间人攻击):伪造DHCP服务器,根据DHCP 发送的是广播报文,因为DHCP服务请求时先到先得。伪造者如果给你一个假的地址你就上不了网,如果给你一个真的,那你所有的数据都得先经过我,我再帮你转发出去。从而截获你所有的数据。
解决办法:
-
使能DHCP Server探测功能
-
配置防止DHCP报文泛洪攻击
-
配置防止仿冒DHCP报文攻击
-
配置防止DHCP Server服务拒绝攻击
-
检查DHCP Snooping攻击防范功能的配置结果
四、排错及验证
1.验证
DHCP 主备服务器模拟故障切换后,windows 的网络信息中的DHCP服务器,也在跟着变化。
2.查看日志
如何查看IP地址给谁租用了?
[root@dhcp-1 ~]# less /var/lib/dhcpd/dhcpd.leases
lease 192.168.8.24 { starts 3 2016/05/18 10:48:59; # 分配地址的时间 ends 3 2016/05/18 10:58:59; # 租约到期时间 tstp 3 2016/05/18 10:58:59; # 租约到期时间 cltt 3 2016/05/18 10:49:04; # 客户端最后访问时间 binding state free; # 租约绑定状态 状态分别是 free 和 active hardware ethernet 30:3a:64:50:2d:32; # 客户端mac地址 uid "\0010:dP-2"; # 客户端识别id set vendor-class-identifier = "MSFT 5.0"; } lease 192.168.8.22 { starts 1 2016/06/14 16:55:13; # 租约开始时间 ends 2 2016/06/14 17:05:13; # 租约结束时间 cltt 2 2016/06/14 16:55:13; # 客户端最后访问时间 binding state active; # 绑定状态 next binding state free; rewind binding state free; hardware ethernet 0c:1d:af:e3:ab:e0; # 客户端mac地址 client-hostname "android-33afb4dbee873a4b"; # 客户端主机名 }
3.排查命令
netstat -anp | grep dhcpd
netstat -anp | grep dhcpd 是一个在 Linux 系统中运行的命令,用于查找正在监听的 DHCP 服务器(dhcpd)。这个命令的组成部分解释如下: netstat:是一个用来显示网络相关信息的工具,比如接口统计数据、路由表、实际的网络连接等。 -a:表示显示所有连接和监听端口。 -n:表示以数字形式显示地址和端口号。 -p:表示显示进程标识符和程序名称。 grep dhcpd:是一个用于文本搜索的工具,在 netstat 输出的内容中搜索包含字符串 "dhcpd" 的行。
systemctl status dhcpd #查看DHCP 服务状态
systemctl stop dhcpd 停止DHCP 服务
systemctl restart dhcpd 重启DHCP 服务
tail -f /var/log/messages 查看实时管理日志
#####