Router Expert: DHCP services for WLANs

When it comes to implementing DHCP services, we have a choice between utilizing the DHCP service provided by Cisco IOS (which I have covered implementing in previous articles) or the Internet Systems Consortium's (ISC) DHCP which can run on the Linux server. We will be using the following network diagram for our implementation discussion:

[IMAGE]

Two key features about this implementation are:

The first feature requires us to set up 802.1q networking on the Linux server, assuming that the server's kernel has 802.1q support built in (and it should if you have been reading this series). We must configure the server's switch port to support 802.1q trunking and the server's interface to support VLANs. The switch part is easy. First, the port's trunk encapsulation protocol needs to be set. Once that's done, the port can be set as a trunk port and the permitted VLANs can be defined:

If you don't define the VLANs that are permitted, the switch will permit all of the VLANs configured on the switch to potentially send traffic across the port. This is not necessarily wrong, but it is better to define what traffic can traverse the port, then to leave it up to the uplink device. Here is what the final port configuration looks like:

Now we must configure the server. Red Hat does not by default support 802.1q. The quickest way to get VLAN interfaces up and running is to disable the bootstrap network process /etc/rc3.d/S10network by renaming the /etc/rc3.d/S10network bootstrap file to /etc/rc3.d/s10network. We can then create our own network bootstrap script, like this example:

The script can be loaded at the end of the bootstrap process by adding the script to the /etc

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Wireless LAN Implementation 802.11n wireless LAN access point market: Who's really in second place? Wireless LAN security: SonicWall joins crowded WLAN market Stolen laptop recovery using remote access and wireless network SSIDs Distributed antenna systems and WLAN: A network management burden Wireless AP SSID and channel configuration for a distribution network Solid 802.11n deployment prepares medical center for future demands How 802.11n wireless APs in Greenfield mode affect nearby networks How to create a Wi-Fi hotspot Beamforming, RF management key to 802.11n wireless LAN success Set up secure wireless networks with 802.11x, access points and bridges IP Networking Windows Server 2008 IP routing configuration: Static and dynamic RIPv2 What is IP? Connect your LAN to the Internet using static or dynamic NAT Using tracert and TTL to troubleshoot network connectivity problems Test your TCP/IP protocol stack to troubleshoot network connectivity Checking IP configuration to troubleshoot Windows network connectivity Does IPv6 abandon TCP/IP fragmentation? VLANs versus IP subnets: Why use a VLAN over IP subnetting? Difference between circuit-switching and packet-switching in examples Can Network Address Translation work without static IP addresses? Routing and Switching Secure Cisco routers against IOS flaw attack How routers work Network summarization -- Supernetting and wildcard masks Routing: Five common, easily avoided errors Router Expert: Building a WLAN proxy server, implementing ASR Router Expert: Building a WLAN proxy server, implementing WPAD Cisco IOS IP routing -- dynamic routing Cisco IOS IP routing: Static routes Router Expert: Building a WLAN proxy server, DHCP services: Part 2 Router Expert: Building a WLAN proxy server, DHCP services: Part 1

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 802.11a  (SearchNetworking.com) Asynchronous Pulsed Radiated Incident Light  (SearchNetworking.com) cognitive radio  (SearchNetworking.com) direct sequence spread spectrum  (SearchNetworking.com) frequency-hopping spread spectrum  (SearchNetworking.com) phase-locked loop  (SearchNetworking.com) radio frequency  (SearchNetworking.com) wireless mesh network  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

/rc3.d/S99local bootstrap process file (this will also be where we start the DHCP service):

With the server's networking out of the way, we can back to the decision about using Cisco vs. ISC DHCP. The Cisco implementation is great for most standard DHCP environments that require only the "basic" client options:

All of the above options are recognized by just about every DHCP client implementation available today and are generally all that is required to get a Windows, Mac OS X or Unix/Linux-based workstation on the network. That said, there are over 100 DHCP client options defined in the current IANA (Internet Assigned Numbers Authority) DHCP parameters document. The Cisco DHCP implementation supports 12 of them. So, if you are planning to support any DHCP options beyond the basics, such as Web proxy auto discovery or static route distribution, then ISC DHCP is the way to go.

Building the DHCP server
The ISC DHCP service is freely available from the ISC Web site. (ISC is also responsible for the BIND Domain Name Service daemon.) The ISC implementation is considered by most as the "reference" DHCP distribution (as many of the developers are members of the DHCP standard working group) and is part of many core Unix/Linux distributions. The ISC DHCP service runs as a root "owned" service. This creates a potential security exploit if ever there is a vulnerability discovered with DHCP. One way to minimize this risk is to run DHCP in a chroot "jail." This involves creating a directory tree "cell" where all of the configuration, log, and database files, along with the executables and libraries needed for the service to operate, exist apart from the rest of the system. ISC DHCP does not, however, support the chroot option as part of the native implementation.

Luckily, programmer Ari Edelkind has written a code patch called "paranoia" that adds support for running ISC DHCP in a chroot cell. To start the build process, we first need to download the patch file using wget. This can be done from the root directory, or you can create a build directory using the following:

The current version of ISC DHCP is 3.0.3. The "paranoia" chroot patch was tested by the patch author on ISC DHCP versions up to 3.0.1.rc4. There were some security vulnerabilities discovered in ISC DHCP versions 3.0p1, 3.0.1rc8 and 3.0.1rc12 and 3.0.1rc13. The patch fails on ISC DHCP versions 3.0.1.rc14 and higher. So in order to run a secure version of the ISC DHCP code and support the chroot option, we must use version 3.0.1rc11. Just like the patch file, we can download the code using wget:

Uncompress and extract the tar ball:

Move the patch file into the server directory of the DHCP source code directory:

Then apply the patch to dhcpd.c. If there are problems, the patch application will report errors. Otherwise, you should just get a simple notice and the program should exit:

With the patch file successfully applied, we run the configure command from the root of the source tree directory with the patch flags:

Then build the source:

Once the code is built, you have two options. You can run make install, which will move the binaries, man page, and configuration files into their default install locations. Or, you can move into the work.linux-2.2 directory:

You then manually install the server and man page files where you want them (for instance, into the chroot cell we are about to build). The first step is creating the user and group we want the dhcpd services to run under:

Then build the directories:

Now we need to create some special files and copy the libraries the daemon needs in order to run. Let's start with the device files:

Now we copy the /etc/localtime file to /usr/local/dhcpd/etc so the syslog messages have the correct time stamp information.

Once the device files are complete, we need to figure out what libraries we need and copy them into the chroot directory tree:

Now, let's install the daemon and create the dhcpd.leases file:

Now that all of the files are in place, we need to set the user and group the permissions correctly:

With the daemon installed and the chroot jail built, all that's left to do is get the service started and set to run when the system boots. We also must set up our dhcp scopes in the dhcpd.conf file. But those are projects for next time, so stay tuned.

>>Read the rest of the series.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.