Still pretty green at this, so here goes.
My biggest problem is that the modems are binding to the first CPE MAC address they see and do not permit other CPE devices until they (modems) have been offline for the uBR's 24 hr. host expiration time. 'clear cable host' does no good either. I've set max hosts to 8 on the uBR as well as max CPE's to 8. Still no dice. Modem configs have anywhere between 3 and 8 CPE's permitted. Various Surfboard, ARRIS, and Ambit modems all exhibit the same behavior.
I'd also like to do a combination of dynamic and static assignments for the CPE addresses. Something tells me the dynamic assignments won't have the same problem due to whatever source-verify stuff gets thrown into the dhcp request sequence -- which is obviously absent on CPE's set up with static addresses.
As usual, TIA for any guidance here. I need to get this server tightened up so I can concentrate on another provisioning system with actual point and click and warm fuzzy GUI stuff. ;-)
Poge
#############################################
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
#
##########################################################################
authoritative;
ddns-update-style none;
log-facility local6;
allow bootp;
allow booting;
allow unknown-clients;
deny client-updates;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option subnet-mask 255.255.0.0;
option broadcast-address 10.10.1.255;
option routers 10.1.0.1;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
default-lease-time 604800;
max-lease-time 604800;
min-lease-time 302400;
###########################################################################
########## DHCPD did not like the following in various iterations, tho
########## did at least run with the CM Class. Not so with the CPE Class
#CM Class
class "CM"{
match if (substring(option vendor-class-identifier,0,6)="docsis");
spawn with option agent.remote-id;
}
#CPE Class
#class "CPE"{
#match if (substring(option vendor-class-indentifier,0,5)="pckt1");
#spawn with option agent.remote-id;
#}
###########################################################################
########## Establishing groups seems to work as expected ###########
group "Off"{
filename="off.bin";
option bootfile-name"off.bin";
}
group "256"{
filename="256.bin";
option bootfile-name"256.bin";
}
group "768"{
filename="768.bin";
option bootfile-name"768.bin";
}
group "1.5"{
filename="1.5.bin";
option bootfile-name"1.5.bin";
}
group "3.0"{
filename="3.0.bin";
option bootfile-name"3.0.bin";
}
group "Platinum"{
filename="platinum.bin";
option bootfile-name"platinum.bin";
}
###########################################################################
shared-network ClientNetwork {
authoritative;
deny client-updates;
allow unknown-clients;
subnet 208.66.214.0 netmask 255.255.255.0 {
range dynamic-bootp 208.66.214.10 208.66.214.254;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2 , 208.66.208.3;
option routers 208.66.214.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
}
# uBR Bundle 1
subnet 10.1.0.0 netmask 255.255.0.0 {
option time-offset -18000;
option ntp-servers 128.4.40.12;
authoritative;
deny client-updates;
allow unknown-clients;
range 10.1.0.4 10.1.254.254;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2 , 208.66.208.3;
option subnet-mask 255.255.0.0;
option broadcast-address 10.10.1.255;
option routers 10.1.0.1;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
##########################################################################
############### Small sample of entries. CPE addresses are statically assigned,
############### but I'd like to do a combination of both static and dynamic.
############### Will covert all entries to groups for their config files.
##########################################################################
# Setup/Bench 1
host Setup1 {
hardware ethernet 00:1A:66:8B:F8:B4;
fixed-address 10.1.254.254;
group "3.0";
}
# Setup/Upgrade 2 (Ambit)
host Setup2 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:1c:26:85:b1:bd;
#fixed-address 10.1.254.254;
}
# CM-1000
host Meter-1 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:D0:DD:17:49:4D;
fixed-address 10.1.254.253;
}
# CM-1000
host Meter-2 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:D0:DD:17:34:70;
fixed-address 10.1.254.252;
}
# CM-1000
host Meter-3 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:D0:DD:15:15:6A;
fixed-address 10.1.254.251;
}
# Pitts, M. / 208.66.214.4
host 0001 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "768.bin";
filename "768.bin";
hardware ethernet 00:13:71:18:8C:C4;
fixed-address 10.1.0.4;
}
# Bench 402 / 208.66.214.5
host ARRIS {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:13:11:B3:62:0A;
fixed-address 10.1.0.5;
}
# Eric / 208.66.214.6
host 0002 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:14:E8:23:04:78;
fixed-address 10.1.0.6;
}
}
}
subnet 10.10.0.0 netmask 255.255.0.0 {
}
[poge@Newtrick ~]$
# Global Directives any setting here is applied to everything globally
# generally only server directives go here
#Make the server authoritive
authoritative;
# Don't do DDNS updates and ignore the client generated ones
# ignore is better than deny because it does not process them at all
ddns-update-style none;
ignore client-updates;
# send logs to local6
log-facility local6;
#Set default lease settings
default-lease-time 604800;
max-lease-time 604800;
min-lease-time 302400;
###########################################################################
#unless your doing something with agent.remote-id, i.e. limiting lease count based on it
# use spawn with hardware (i.e. mac address)
#CM Class will match docsis modems
# may need to create a class for lancity modems if this server is to be used for them too.
# or since they are going away eventually you could also subclass them in manually
# subclass "CM" 00:00:00:00:00:00; # mac of LAN city modem
class "CM" {
# only match if first 6 chars of option 61 are docsis
match if (substring(option vendor-class-identifier,0,6) = "docsis");
spawn with hardware;
}
# Class for MTAs
class "MTA" {
match if (substring(option vendor-class-identifier,0,4) != "pktc"));
spawn with hardware;
}
class "CPE" {
match if ((substring(option vendor-class-identifier,0,6) != "docsis")
and (substring(option vendor-class-identifier,0,4) != "pktc"));
spawn with hardware;
}
###########################################################################
########## Establishing groups seems to work as expected ###########
group "Off"{
filename="off.bin";
option bootfile-name"off.bin";
}
group "256"{
filename="256.bin";
option bootfile-name"256.bin";
}
group "768"{
filename="768.bin";
option bootfile-name"768.bin";
}
group "1.5"{
filename="1.5.bin";
option bootfile-name"1.5.bin";
}
group "3.0"{
filename="3.0.bin";
option bootfile-name"3.0.bin";
}
group "Platinum"{
filename="platinum.bin";
option bootfile-name"platinum.bin";
}
###########################################################################
shared-network CableNetwork {
# Assuming these are the client ips
subnet 208.66.214.0 netmask 255.255.255.0 {
allow members of "CPE";
# if this is your MTA pool
# allow members of "MTA";
deny members of "CM";
# does not appear you are authorizing clients so
allow unknown-clients;
# you don't need dynamic bootp for clients, unless you have some really old
# i.e. circa 1996 hardware you need to boot up
range 208.66.214.10 208.66.214.254;
# Domain name is probably not needed unless it is for MTAs too
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2 , 208.66.208.3;
option routers 208.66.214.1;
}
# Docsis Cable modems
subnet 10.1.0.0 netmask 255.255.0.0 {
allow members of "CM";
deny members of "CPE";
deny members of "MTA";
option time-offset -18000;
option ntp-servers 128.4.40.12;
#Probably don't want to not allow unknown-clients if your putting a host entry in
#for each modem because modems won't work with out a config file and one is
#not specified here deny unknown-clients; is the default
#allow unknown-clients;
#you should not include addresses in this range that you plan on using as fixed-addresses adjust accordinglingly
range 10.1.0.4 10.1.254.254;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2 , 208.66.208.3;
option routers 10.1.0.1;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
}
}
##########################################################################
############### Small sample of entries. CPE addresses are statically assigned,
############### but I'd like to do a combination of both static and dynamic.
############### Will covert all entries to groups for their config files.
##########################################################################
# Hosts do not belong in shared-network or subnet declarations, hosts are global regardless of
#where they are in the config
# Setup/Bench 1
host Setup1 {
hardware ethernet 00:1A:66:8B:F8:B4;
fixed-address 10.1.254.254;
group "3.0";
}
# Setup/Upgrade 2 (Ambit)
host Setup2 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:1c:26:85:b1:bd;
#fixed-address 10.1.254.254;
}
# CM-1000
host Meter-1 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:D0:DD:17:49:4D;
fixed-address 10.1.254.253;
}
# CM-1000
host Meter-2 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:D0:DD:17:34:70;
fixed-address 10.1.254.252;
}
# CM-1000
host Meter-3 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:D0:DD:15:15:6A;
fixed-address 10.1.254.251;
}
# Pitts, M. / 208.66.214.4
host 0001 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "768.bin";
filename "768.bin";
hardware ethernet 00:13:71:18:8C:C4;
fixed-address 10.1.0.4;
}
# Bench 402 / 208.66.214.5
host ARRIS {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:13:11:B3:62:0A;
fixed-address 10.1.0.5;
}
# Eric / 208.66.214.6
host 0002 {
server-name "10.10.1.3";
option time-servers 10.10.1.1;
option bootfile-name "platinum.bin";
filename "platinum.bin";
hardware ethernet 00:14:E8:23:04:78;
fixed-address 10.1.0.6;
}
# Assuming this is the subnet of the Ethernet interface on the DHCP Server
subnet 10.10.0.0 netmask 255.255.0.0 {
}
Was off all week and am just getting back to this. Here's what I have now based on what I *thought* was being suggested. DHCPD complained a little bit here and there, but I think I corrected most everything except the classes. Still doesn't like how that's being attempted and I still have the same MAC binding issue as before.
####################################################################################
#
# DHCP Server Configuration file.
#
#
authoritative;
ddns-update-style none;
log-facility local6;
allow bootp;
allow booting;
allow unknown-clients;
ignore client-updates;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option subnet-mask 255.255.0.0;
option broadcast-address 10.10.1.255;
option routers 10.1.0.1;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
default-lease-time 604800;
max-lease-time 604800;
min-lease-time 302400;
#####################################################################
#CM Class
class "CM"{
match if (substring(option vendor-class-identifier,0,6)="docsis");
spawn with hardware;
}
#MTA Class
class "MTA"{
match if (substring(option vendor-class-identifier,0,4)="pktc");
spawn with hardware;
}
#CPE Class
class "CPE"{
match if ((substring(option vendor-class-identifier,0,6)!="docsis")and
(substring(option vendor-class-identifier,0,4)!="pktc"));
spawn with hardware;
}
group "Off"{
filename="off.bin";
option bootfile-name"off.bin";
}
group "256"{
filename="256.bin";
option bootfile-name"256.bin";
}
group "768"{
filename="768.bin";
option bootfile-name"768.bin";
}
group "1.5"{
filename="1.5.bin";
option bootfile-name"1.5.bin";
}
group "3.0"{
filename="3.0.bin";
option bootfile-name"3.0.bin";
}
group "Platinum"{
filename="platinum.bin";
option bootfile-name"platinum.bin";
}
#####################################################################
Host Entries
#####################################################################
shared-network ClientNetwork {
subnet 208.66.214.0 netmask 255.255.255.0 {
authoritative;
ignore client-updates;
allow unknown-clients;
#allow members of"CPE";
#deny members of"CM";
range 208.66.214.50 208.66.214.254;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option routers 208.66.214.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
}
# uBR Bundle 1
subnet 10.1.0.0 netmask 255.255.0.0 {
authoritative;
ignore client-updates;
deny unknown-clients;
range 10.1.0.4 10.1.254.254;
#allow members of"CM";
#deny members of"CPE";
option time-offset -18000;
option ntp-servers 128.4.40.12;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2 , 208.66.208.3;
option subnet-mask 255.255.0.0;
option broadcast-address 10.10.1.255;
option routers 10.1.0.1;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
}
}
subnet 10.10.0.0 netmask 255.255.0.0 {
}
[poge@Newtrick ~]$
##########################################################################
The member error for the class stuff....
##########################################################################
[root@Newtrick ~]# dhcpd eth1
Internet Systems Consortium DHCP Server V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
/etc/dhcpd.conf line 874: expecting allow/deny key
allow members
^
/etc/dhcpd.conf line 874: expecting a parameter or declaration
allow members of"CPE";
^
/etc/dhcpd.conf line 890: expecting allow/deny key
allow members
^
/etc/dhcpd.conf line 890: expecting a parameter or declaration
allow members of"CM";
^
Configuration file errors encountered -- exiting
##############################################################
TIA for any additional assistance. I'd read up on all this stuff if I actually had the time, so your help
is tremendously appreciated in the interim!!!
Poge
first and foremost
# there is absolutely no reason to enable these setting globally, doing so may be the root cause of your problem these settings belong in a shared-network or subnet declaration, and therefore apply only to that subnet or shared-network
#allow bootp;
#allow booting;
#allow unknown-clients;
#option subnet-mask 255.255.0.0;
#option broadcast-address 10.10.1.255;
#option routers 10.1.0.1;
#these settings probably do not belong in the global scope, i.e. applied to every device that hits this server.
# Cable modems don't need DNS, CPEs do not need TFTP servers or log servers etc.
ignore client-updates;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
Next
allow members of "CM" #note the space between of and "CM", thats what DHCP is complaining about. Something in this blog software is explicitly removing that space, i had to add it by using
classes in dhcpd exist to deifferentiate different types of devices
for example this class will only match if a docsis cable modem requests an IP from this server.
#CM Class
class "CM"{
match if (substring(option vendor-class-identifier,0,6)="docsis");
spawn with hardware;
}
the
allow memers of "classname";
and
deny members of "classname";
are used to constrain specific type of hardware to a specific subnet or shared-network
i.e. cable modems get ips from the CM Subnet, CPEs get addresses from the CPE subnet
next
I would avoid the use of
allow unknown-clients;
except possibly in CPE subnets.
This declaration specifically allows any device to obtain dhcp information, I doubt this is what you want for your cable modems, as you want to use a host declaration to declare what config it gets possibly fixed-address etc..
finally
avoid the use of
option subnet-mask 255.255.0.0;
option broadcast-address 10.10.1.255;
dhcpd is smart enough to know that if you declared a subnet as
subnet 10.1.0.0 netmask 255.255.0.0 {
that its subnet mask is 255.255.0.0 and that its broadcast address is 10.1.255.255 not 10.10.1.255 as you stated(which is not even in the same subnet)
dhcpd calculates these settings and sends them to devices that request them.
those settings applied globally are likely the culprit of your issue, you are essentially telling every client who gets a 208.64.xxx.xxx ip that its subnet is 255.255.0.0 and its broadcast address is 10.10.1.255, which would cause most networking hardware to ignore your dhcp offer because it would not pass a sanity check, frankly I am surprised anything was able to work with those global settings
Believe me I know all about being busy, but, take the time to read the dhcpd man pages at least, there are only 3-5 of them it will take you a half hour at most but most of what I am trying to tell you will make a lot more sense if you do.
>take the time to read the dhcpd man pages...
Reading them and getting a grip on them are two different animals, but I have read them. And I generally understand what you're explaining. It's more like a "forest for the trees" or "if it were snake it woulda bit me" kind of thing right now.
The latest attempt with some progress after setting up the pools to eliminate the complaining about the classes. Dynamic assignments for modems now works, but that's not the objective or the desire. Have also played with variations I've seen specified for the class substring definitions for the CPE class, but still no dynamic addresses are getting to CPE's and the MAC binding issue for static CPE assignments behind the modems persists.
Back to the man pages, but here's the latest...
And if it weren't fun...
#
authoritative;
ddns-update-style none;
log-facility local6;
ignore client-updates;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
default-lease-time 604800;
max-lease-time 604800;
min-lease-time 302400;
#####################################################################
#CM Class
class "CM"{
match if (substring(option vendor-class-identifier,0,6)="docsis");
spawn with hardware;
}
#MTA Class
class "MTA"{
match if (substring(option vendor-class-identifier,0,4)="pktc");
spawn with hardware;
}
#CPE Class
class "CPE"{
match if ((substring(option vendor-class-identifier,0,6)!="docsis")
and(substring(option vendor-class-identifier,0,5)!="pktc1"));
spawn with hardware;
}
#####################################################################
group "Off"{
filename="off.bin";
option bootfile-name"off.bin";
}
group "256"{
filename="256.bin";
option bootfile-name"256.bin";
}
group "768"{
filename="768.bin";
option bootfile-name"768.bin";
}
group "1.5"{
filename="1.5.bin";
option bootfile-name"1.5.bin";
}
group "3.0"{
filename="3.0.bin";
option bootfile-name"3.0.bin";
}
group "Platinum"{
filename="platinum.bin";
option bootfile-name"platinum.bin";
}
#####################################################################
# Setup/Bench 1 / Obvious Static Assignment
host Setup1 {
hardware ethernet 00:1A:66:8B:F8:B4;
fixed-address 10.1.254.254;
group "3.0";
}
# Setup/Upgrade 2 Dynamic Assignment Which Works
host Setup2 {
hardware ethernet 00:20:40:4D:34:4E;
group "Platinum";
}
#####################################################################
shared-network OberlinNetwork {
# uBR Bundle 1 / Cable Modems
subnet 10.1.0.0 netmask 255.255.0.0 {
option routers 10.1.0.1;
authoritative;
ignore client-updates;
deny unknown-clients;
option time-offset -18000;
option ntp-servers 128.4.40.12;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
pool{
range 10.1.1.4 10.1.252.254;
allow members of "CM";
deny members of "CPE";
}
}
#Client Network CPE's
subnet 208.66.214.0 netmask 255.255.255.0 {
option routers 208.66.214.1;
authoritative;
ignore client-updates;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
pool{
range 208.66.214.50 208.66.214.254;
allow members of "CPE";
deny members of "CM";
}
}
}
subnet 10.10.0.0 netmask 255.255.0.0 {
}
[poge@Newtrick ~]$
Can you post the log entries from dhcpd i.e. the DHCPDISCOVER, DHCPOFFER etc... line with the relevant mac address that are not working
>Can you post the log entries from dhcpd i.e. the DHCPDISCOVER, DHCPOFFER etc... line with the relevant mac address that are not working
Checked into that this afternoon after much experimentation. Didn't see any entries relative to the situation at hand. Even tried creating a CPE host entry with fixed address for the bench modem with no luck. Tried sniffing the dhcp request from the CPE and didn't even see anything -- like the modem is shutting off the CPE access, but the modem config is set to allow network access with 3 CPE's.
Kitchen sink configs and logs coming at you tomorrow. I'm fried and obviously missing something simple or just not understanding something simple.
I have a whole new bag o' snakes of provisioning software to get to asap, but this is probably good for me for general understanding anyway. Just not going very well right now.
BTW, I did try a different bench modem with the same results.
Thanks.
Poge
Was misinterpreting these dhcpd log entries as a NAT on the 132.162.193.0 network in dhcp mode instead of using its static address.
Aug 3 22:20:11 Newtrick dhcpd: DHCPDISCOVER from 00:17:31:ed:56:c6 via 132.162.193.1: unknown network segment
Then I started seeing them from the laptop MAC I was using on the bench. Hmmmm. That gateway address is exclusive to a small batch of NAT boxes behind docsis modems for a small college network segment and is a secondary on cable Bundle 1 -- not even a subnet in the dhcpd shared network.
Time to re-investigate the uBR config and found cable dhcp-giaddr set to 'policy' which evidently uses the first secondary address it sees as the giaddr for hosts (or was deferring to my ip policy route-map for the college which obviously uses that gateway address).
interface Bundle1
ip address 132.162.193.1 255.255.255.0 secondary
ip address 208.66.214.1 255.255.255.0 secondary
ip address 10.1.0.1 255.255.0.0
ip policy route-map COLLEGE
cable arp filter request-send 3 2
cable arp filter reply-accept 3 2
cable dhcp-giaddr policy
cable helper-address 10.10.1.3
Switched cable dhcp-giaddr to 'primary' and got rid of the college gateway error, but then all host requests were hitting the server via 10.1.0.1 which should evidently just be the gateway address for the modems and not CPE hosts?
Aug 4 12:34:10 Newtrick dhcpd: DHCPDISCOVER from 00:e0:b8:ac:45:93 via 10.1.0.1
Aug 4 12:34:11 Newtrick dhcpd: DHCPOFFER on 208.66.214.253 to 00:e0:b8:ac:45:93 (Broadway) via 10.1.0.1
Aug 4 12:34:14 Newtrick dhcpd: DHCPDISCOVER from 00:e0:b8:ac:45:93 (Broadway) via 10.1.0.1
Aug 4 12:34:14 Newtrick dhcpd: DHCPOFFER on 208.66.214.253 to 00:e0:b8:ac:45:93 (Broadway) via 10.1.0.1
Then I re-ordered the secondary addresses on Bundle 1 so the 214.1 gateway would be the first in the order to see if that made any difference with dhcp-giaddr set back to 'policy'...
interface Bundle1
ip address 208.66.214.1 255.255.255.0 secondary
ip address 132.162.193.1 255.255.255.0 secondary
ip address 10.1.0.1 255.255.0.0
ip policy route-map COLLEGE
cable arp filter request-send 3 2
cable arp filter reply-accept 3 2
cable dhcp-giaddr policy
cable helper-address 10.10.1.3
and got a bunch of this, so I'm getting somewhere...sorta...
Aug 4 12:49:07 Newtrick dhcpd: DHCPREQUEST for 10.1.252.254 (10.10.1.3) from:20:40:4d:34:4e via 10.1.0.1
Aug 4 12:49:07 Newtrick dhcpd: DHCPACK on 10.1.252.254 to 00:20:40:4d:34:4e via 10.1.0.1
Aug 4 12:49:11 Newtrick dhcpd: DHCPDISCOVER from 00:e0:b8:ac:45:93 (Broadway) via 208.66.214.1
Aug 4 12:49:12 Newtrick dhcpd: DHCPOFFER on 208.66.214.253 to 00:e0:b8:ac:45:93 (Broadway) via 208.66.214.1
...just no ACK for the CPE offer.
Comments? Suggestions?
Poge
When you use a shared network, it does not matter if your dhcp requests come from any subnet, it treats all the subnets as if they were the same subnet.
that being said, your devices are requesting an IP and receiving a response to that request, and either are ignoring it because it contains obvious errors, i.e. gateway is not contained in subnet etc.. or when configuring itself with the supplied ip it cannot communicate with the dhcp server.
things to check now:
first need a dump of the DHCPOFFER from the DHCP server to the client so we can check the obvious stuff.
second, manually configure your cpe with the correct IP and make sure you can talk to the DHCP server i.e. ping, could be an access-list or firewall preventing you from getting back.
helpful tidbit
DHCPDISCOVER -- Broadcast client->server
DHCPOFFER -- Broadcast server->client
DHCPREQUEST -- Unicast client->server
DHCPACK -- Unicast server->client
so the dhcp server is hearing the broadcast DHCPDISCOVER and sending a DHCPOFFER back broadcast to the client, if you run wireshark on the client do you see the DHCPOFFER. Once the client hears the DHCPOFFER it is supposed to configure itself with the supplied address and gateway and other settings and unicast back to the dhcp server using a DHCPREQUEST, which the dhcp server should respond with a DHCPACK when all is working.
judging by what is happening, my guess is either you have a routing problem i.e. 208.66.214.253 cannot route to the dhcp server or
you have an access list problem, i.e. you have blocked dhcpd traffic from the 208.66.214 subnet.
> a dump of the DHCPOFFER from the DHCP server to the client
The client doesn't see the offers
No. Time Source Destination Protocol Info
51 95.713331 208.66.214.1 10.10.1.3 DHCP DHCP Discover - Transaction ID 0x8eb44fb3
Frame 51 (357 bytes on wire, 357 bytes captured)
Ethernet II, Src: Cisco_64:c0:1c (00:02:7d:64:c0:1c), Dst: Cisco-Li_56:c8:8b (00:14:bf:56:c8:8b)
Internet Protocol, Src: 208.66.214.1 (208.66.214.1), Dst: 10.10.1.3 (10.10.1.3)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
Bootstrap Protocol
No. Time Source Destination Protocol Info
52 95.718055 10.10.1.3 208.66.214.1 DHCP DHCP Offer - Transaction ID 0x8eb44fb3
Frame 52 (349 bytes on wire, 349 bytes captured)
Ethernet II, Src: Cisco-Li_56:c8:8b (00:14:bf:56:c8:8b), Dst: Cisco_64:c0:1c (00:02:7d:64:c0:1c)
Internet Protocol, Src: 10.10.1.3 (10.10.1.3), Dst: 208.66.214.1 (208.66.214.1)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67)
Bootstrap Protocol
> manually configure your cpe with the correct IP and make sure you can talk to the DHCP server
I have 40 or so modems set up on that subnet which can talk to the dhcp server, though they don't need to with static addresses. In other words, the routes are there in both directions.
> if you run wireshark on the client do you see the DHCPOFFER
No.
> judging by what is happening, my guess is either you have a routing problem i.e. 208.66.214.253 cannot route to the dhcp server or you have an > access list problem, i.e. you have blocked dhcpd traffic from the 208.66.214 subnet.
Here's where it gets interesting. If I put a NAT box between the client and the modem with either a static or dhcp public address, the CPE gets online with a private address assigned by the NAT. And the NAT will indeed pull a dynamic IP assignment from the dhcp server.
Aug 6 11:44:04 Newtrick dhcpd: DHCPDISCOVER from 00:13:46:cc:21:17 (DI-604) via 208.66.214.1
Aug 6 11:44:05 Newtrick dhcpd: DHCPOFFER on 208.66.214.252 to 00:13:46:cc:21:17 (DI-604) via 208.66.214.1
Aug 6 11:44:05 Newtrick dhcpd: DHCPREQUEST for 208.66.214.252 (10.10.1.3) from 00:13:46:cc:21:17 (DI-604) via 208.66.214.1
Aug 6 11:44:05 Newtrick dhcpd: DHCPACK on 208.66.214.252 to 00:13:46:cc:21:17 (DI-604) via 208.66.214.1
AND this was a newly provisioned TM402G that had never seen a CPE MAC address yet.... (the others had all been SB4100's, 5100's and 5120's)
Aug 6 13:08:44 Newtrick dhcpd: DHCPDISCOVER from 00:e0:b8:ac:45:93 (Broadway) via 208.66.214.1
Aug 6 13:08:45 Newtrick dhcpd: DHCPOFFER on 208.66.214.253 to 00:e0:b8:ac:45:93 (Broadway) via 208.66.214.1
Aug 6 13:08:45 Newtrick dhcpd: DHCPREQUEST for 208.66.214.253 (10.10.1.3) from 00:e0:b8:ac:45:93 (Broadway) via 208.66.214.1
Aug 6 13:08:45 Newtrick dhcpd: DHCPACK on 208.66.214.253 to 00:e0:b8:ac:45:93 (Broadway) via 208.66.214.1
Bingo.
So now I'm really scratching my head. Pulled a new virgin 5120 out of the box now thinking there's some type of cache issue or something that's not releasing the CPE MAC address and seeing a conflict each time its attempted to be used behind another device -- at least for the MOTO modems. New 5120 would NOT allow the CPE to see the DHCPOFFER. Stick the DI-604 NAT box in between em and bingo again -- no problem.
It's almost like the ethernet interface of the modems is being disabled due to them not releasing the MAC binding to the CPE and thinking there's a hardware conflict somewhere. Is this possibly a Motorola thing?
So here's the Kitchen Sink for review...
As usual, mucho TIA.
Poge
oberlin-uBR7246#sh run
Building configuration...
Current configuration : 11492 bytes
!
! Last configuration change at 14:00:29 EDT Wed Aug 4 2010
! NVRAM config last updated at 14:02:07 EDT Wed Aug 4 2010
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service linenumber
service udp-small-servers max-servers no-limit
!
hostname oberlin-uBR7246
!
boot-start-marker
boot system disk0:ubr7200-ik8su2-mz.123-23.BC7.bin
boot bootldr disk0:/ubr7200-boot-mz.120-15.SC
boot-end-marker
!
logging buffered 1000000 debugging
no logging console
enable secret 5 $1$ltFZ$sryHiSXB0VXidzjGSM0MR/
enable password 7 0559125A00435923
!
clock timezone EDT -5
clock summer-time EDT recurring
fastether transmit store_and_forward enable
cable admission-control preempt priority-voice
cable modem max-cpe 8
cable qos profile 8
cable qos profile 10
cable qos profile 10 grant-size 1500
cable qos profile 12 guaranteed-upstream 100000
no cable qos permission create
no cable qos permission update
cable qos permission modems
cable time-server
no aaa new-model
ip subnet-zero
!
!
ip cef
ip domain name oberlin.net
ip name-server 208.66.208.2
ip dhcp relay information option
!
!
interface FastEthernet0/0
ip address 132.162.199.19 255.255.255.248 secondary
ip address 208.66.209.10 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex full
!
interface FastEthernet1/0
ip address 10.10.1.1 255.255.255.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex full
!
interface FastEthernet1/1
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex full
!
interface Cable3/0
no ip address
cable shared-secret 7 055C515F731A1B5C4B5C46
no cable packet-cache
cable max-hosts 8
cable bundle 1
cable downstream channel-id 0
cable downstream annex B
cable downstream modulation 64qam
cable downstream interleave-depth 32
cable upstream 0 frequency 39008000
cable upstream 0 docsis-mode tdma
cable upstream 0 channel-width 3200000
cable upstream 0 minislot-size 2
cable upstream 0 power-level 0
cable upstream 0 modulation-profile 1
no cable upstream 0 shutdown
cable upstream 1 frequency 39008000
cable upstream 1 docsis-mode tdma
cable upstream 1 channel-width 3200000
cable upstream 1 minislot-size 2
cable upstream 1 power-level 0
cable upstream 1 modulation-profile 1
no cable upstream 1 shutdown
cable upstream 2 frequency 39008000
cable upstream 2 docsis-mode tdma
cable upstream 2 channel-width 3200000
cable upstream 2 minislot-size 2
cable upstream 2 power-level 0
cable upstream 2 modulation-profile 1
no cable upstream 2 shutdown
cable upstream 3 frequency 39008000
cable upstream 3 docsis-mode tdma
cable upstream 3 channel-width 3200000
cable upstream 3 minislot-size 2
cable upstream 3 power-level 0
cable upstream 3 modulation-profile 1
no cable upstream 3 shutdown
cable upstream 4 frequency 39008000
cable upstream 4 docsis-mode tdma
cable upstream 4 channel-width 3200000
cable upstream 4 minislot-size 2
cable upstream 4 power-level 0
cable upstream 4 modulation-profile 1
no cable upstream 4 shutdown
cable upstream 5 frequency 39008000
cable upstream 5 docsis-mode tdma
cable upstream 5 channel-width 3200000
cable upstream 5 minislot-size 2
cable upstream 5 power-level 0
cable upstream 5 modulation-profile 1
cable upstream 5 shutdown
no keepalive
interface Bundle1
ip address 208.66.214.1 255.255.255.0 secondary
ip address 208.66.215.1 255.255.255.0 secondary
ip address 132.162.193.1 255.255.255.0 secondary
ip address 10.1.0.1 255.255.0.0
ip policy route-map COLLEGE
cable arp filter request-send 3 2
cable arp filter reply-accept 3 2
cable dhcp-giaddr policy
cable helper-address 10.10.1.3
!
ip default-gateway 208.66.209.1
ip classless
ip route 0.0.0.0 0.0.0.0 208.66.209.1
no ip http server
no ip http secure-server
!
!
cdp run
!
cpd cr-id 1
nls resp-timeout 1
route-map COLLEGE permit 10
match ip address 32
set ip next-hop 132.162.xxx.x
!
##################################################################
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
#
authoritative;
ddns-update-style none;
log-facility local6;
ignore client-updates;
allow bootp;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
default-lease-time 604800;
max-lease-time 604800;
min-lease-time 302400;
#####################################################################
#CM Class
class "CM"{
match if (substring(option vendor-class-identifier,0,6)="docsis");
spawn with hardware;
}
#MTA Class
class "MTA"{
match if (substring(option vendor-class-identifier,0,4)="pktc");
spawn with hardware;
}
#CPE Class
class "CPE"{
match if ((substring(option vendor-class-identifier,0,6)!="docsis")and(substring(option vendor-class-identifier,0,4)!="pktc"));
spawn with hardware;
}
#####################################################################
group "Off"{
filename="off.bin";
option bootfile-name"off.bin";
}
group "256"{
filename="256.bin";
option bootfile-name"256.bin";
}
group "768"{
filename="768.bin";
option bootfile-name"768.bin";
}
group "1.5"{
filename="1.5.bin";
option bootfile-name"1.5.bin";
}
group "3.0"{
filename="3.0.bin";
option bootfile-name"3.0.bin";
}
group "Platinum"{
filename="platinum.bin";
option bootfile-name"platinum.bin";
}
#####################################################################
#Test 1
host Test1 {
hardware ethernet 00:1A:de:77:4a:0e;
group "Platinum";
}
#Test 2
host Ambit {
hardware ethernet 00:1c:26:85:b1:bd;
group "Platinum";
}
# Setup/Bench 1
host Setup1 {
hardware ethernet 00:1A:66:8B:F8:B4;
fixed-address 10.1.254.254;
group "3.0";
}
# Setup/Upgrade 2 (4100)
host Setup2 {
hardware ethernet 00:20:40:4D:34:4E;
#fixed-address 10.1.254.254;
group "Platinum";
}
################################################################
shared-network OberlinNetwork {
# uBR Bundle 1 / Cable Modems
subnet 10.1.0.0 netmask 255.255.0.0 {
option routers 10.1.0.1;
authoritative;
ignore client-updates;
deny unknown-clients;
option time-offset -18000;
option ntp-servers 128.4.40.12;
option time-servers 10.10.1.1;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
option tftp-server-name "10.10.1.3";
pool{
range 10.1.1.4 10.1.252.254;
allow members of "CM";
}
}
#Client Network CPE's
subnet 208.66.214.0 netmask 255.255.255.0 {
option routers 208.66.214.1;
authoritative;
ignore client-updates;
option domain-name "oberlin.net";
option domain-name-servers 208.66.208.2, 208.66.208.3;
option log-servers 10.10.1.3;
next-server 10.10.1.3;
pool{
range 208.66.214.50 208.66.214.254;
allow members of "CPE";
deny members of "CM";
}
}
}
subnet 10.10.0.0 netmask 255.255.0.0 {
}
#########################################################
And incredibly vanilla DOCSIS 1.0 Config files all the way around.....
#########################################################
generator=docsis-generic
spec_name=Generic DOCSIS 1.0
option Network Access Control = true
option Class of Service = { Class ID = 1 },
{ Maximum Downstream Rate = 10240000 },
{ Maximum Upstream Rate = 5120000 },
{ Upstream Channel Priority = 7 },
{ Guaranteed Minimum Upstream Channel Data Rate = 0 },
{ Maximum Upstream Channel Transmit Burst = 0 },
{ Class of Service Privacy Enable = false }
option Maximum Number of CPEs = 8
######################################################
you do not state what kind of client your using, but if I had to guess, I would imagine it is a Windows XP box, if so I would suggest using a tool called WinsockXPFix, windows xp's network stack is known to have weird things like that happen from time to time running this tool resets tcp/ip and resolves a lot of these weird problems.
if its not windows xp, and its a linux box you could check dhclients config and make sure there is no weird settings.
the one piece of information that might be pertinent is the contents of access-list 32 since you are forwarding all traffic that matches that access-list to a different router (non CMTS I imagine)
...but we've seen this behavior with other OS's and CPE devices (Airports come to mind) in the past as well. But I may have fixed it and didn't know it until today taking your lead and thinking client behavior. Up until today my testing has essentially consisted of swapping modems, fixed and dynamic addresses, diddling with dhcpd.conf and a few CMTS items, saving changes, then rebooting modem and client to see what would happen. After my last batch of changes everything *seemed* like it should work, and kinda did with the ARRIS 402's, but the MOTO's were still not cooperating even after the device and client reboots. Could get to the modem web interface, modems saw correct CPE MAC(S), but no traffic out of the modem or to the client relative to the outside IP world and no ack of any CPE behind the modem in the uBR -- until I actually power cycled the client for its reboot when switching modems/settings instead of just doing a "restart". Yay!!! Still doesn't explain why the ARRIS didn't present any problems, but I'm not asking any questions at this point and just heading on down the road from here with fingers crossed that things keep working.
Many thanks for the patience and input. I learned a lot, even though I don't quite understand it all or what actually got fixed.
So upward and onward trying to get filters working with the modem config files. Thought I had those all worked out, but evidently not quite yet. Arrrgh.
BTW, access-list 32 is the Oberlin College network route-map piece and is exclusively their address space for the off-campus housing network we provide for them -- hence my rather urgent need to get some filters into these modems before the students return en masse over the next week or so!!!
Thanks again.
Poge
however, only windows 2000/xp require a reset of tcp/ip to fix it most other devices, linksys routers, Airports, linux devices etc.. only require a reboot, or a reacquisition of the dhcp parameters to resolve.
in my opinion, your two main problems were, having the right options in the right places, and using classes to differentiate the different classes. You were pretty close, just needed some minor tweaking.
After my last batch of changes everything *seemed* like it should work, and kinda did with the ARRIS 402's, but the MOTO's were still not cooperating even after the device and client reboots. Could get to the modem web interface, modems saw correct CPE MAC(S), but no traffic out of the modem or to the client relative to the outside IP world and no ack of any CPE behind the modem in the uBR -- until I actually power cycled the client for its reboot when switching modems/settings instead of just doing a "restart".
This is pretty common when a TCP/IP stack is effectively broken, it will work with one device but not others, usually running the winsockxp fix tool solves the problem, you can also do it manually with a cli tool built into windows called netsh but the winsockxp fix tool is way more convienent.
Was the first thing I read up on the other morning, which also sorta led me to the total power cycle reset of the client tcp/ip stack vs. just a soft "restart" as a possible solution. Great tip, though. And way more convenient than netsh as you mention. Another little trick in the ever growing bag. Thanks again for all your help.
Now back to those blasted filters for my modem configs and what I'm doing wrong there!
Poge
Can you ping 208.66.214.1 from the dhcp server?
> Can you ping 208.66.214.1 from the dhcp server?
Yep. And there are 40 or so modems on that subnet as well, but with static addresses.