File: ward.html

package info (click to toggle)
lg-issue83 2-1
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 1,464 kB
  • ctags: 165
  • sloc: perl: 113; sh: 78; ansic: 70; python: 64; makefile: 35; asm: 16; awk: 7
file content (264 lines) | stat: -rw-r--r-- 12,730 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
 
<!--startcut  ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Subnetting your local network with DHCP LG #83</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->

<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue83/ward.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->

<!--endcut ============================================================-->

<TABLE BORDER><TR><TD WIDTH="200">
<A HREF="http://www.linuxgazette.com/">
<IMG ALT="LINUX GAZETTE" SRC="../gx/2002/lglogo_200x41.png" 
	WIDTH="200" HEIGHT="41" border="0"></A> 
<BR CLEAR="all">
<SMALL>...<I>making Linux just a little more fun!</I></SMALL>
</TD><TD WIDTH="380">


<center>
<BIG><BIG><STRONG><FONT COLOR="maroon">Subnetting your local network with DHCP</FONT></STRONG></BIG></BIG><BR>
<STRONG>By <A HREF="../authors/ward.html">Alan Ward</A></STRONG></BIG>

</TD></TR>
</TABLE>
<P>

<!-- END header -->




<p><b>Why subnet?</b></p>

<p>As hardware prices go down and local networks grow larger, a new size of 
local network is becoming common: the size in between the small office
(5-10 hosts) and the large corporate building-sized LAN (more than 50 hosts).</p>

<p>With less than 10 hosts, it is generally easy to manage the network: 
all hosts get on to the same Ethernet segment, and security -- if necessary -- 
is implemented at host level: passwords and such. With more than 50 
hosts, you can generally obtain funding for managed switches than can 
define virtual networks (VLANs). The Accounting Department will go on 
one VLAN, Production on another and so forth. Every host will have access 
to other hosts in its VLAN and to the company servers, but not across 
VLANs. Security is managed at both host and network levels.</p>

<p>On middlish-sized local networks however, we often must put all hosts
on the same segment once more. Recent cheap LAN switches are capable of
handling traffic between up to 50 hosts easily. However, switches with 
VLAN capability are much more expensive. Well-known brands are selling for 
upwards of US $1200 for a 24-port switch, which may be worth it -- but is 
completely out of many budgets. Mine for one.</p>

<p><b>DHCP and subnetworks</b></p>

<p>One of the local networks I administer in the school I work in 
is a long string of non-managed Ethernet switches. This is basically because 
of how the building was initially drawn up. On this, I must handle traffic 
from several different types of host; to simplify let's say I have 
teacher-level traffic (group A) and student-level traffic (group B). 
These must not mix: I do not want people from each group accessing the 
other group's files or 
printers (passwords tend to be weaker than I would like).</p>

<p>The simplest way to separate the groups at logical level is to give 
each group a different IP network address. For example, group A gets 
addresses on network 192.168.10.0 (e.g. 192.168.10.12), while group B 
get addresses on network 192.168.20.0 (e.g. 192.168.20.34). Servers 
that are present on both must have an address on each network.</p>

<p align=center><img src="misc/ward/map.jpg"><br>
<i>Our network topology</i></p>

<p>A DHCP server is a good way of doing this. This is the service you 
access when using a dial-up Internet connection: you connect to 
your ISP, who assigns you a temporary public IP address. Most Linux
distributions include a DHCP server, which can also be used on a 
local network.</p>

<p>Initially, you can give the DHCP server a range of IP addresses 
to distribute: for example 192.168.1.100 to 192.168.1.199. Any host
that starts up and asks for an address will get one of these. After the
host is switched back off, the address will be liberated and can be
re-used on another host if needed.</p>

<p>But Ethernet cards all carry a unique identification number, called 
a MAC address. This is a 12-digit hexadecimal number that is assigned 
by the manufacturer, and that is guaranteed to be different from any 
other Ethernet card, anywhere in the world. A DHCP server can be configured 
to use this MAC address to always assign the same IP address to the host.</p>

<p>Using this, we can make a list of the MAC addresses of the hosts in 
our group A, and make DHCP serve them fixed IP addresses on the 192.168.10.0 
subnet. The MAC addresses of hosts in group B are served addresses on 
the 192.168.20.0 subnet, and hosts that are not on either list (visitors' 
laptops, for example) get an address on subnet 192.168.1.0 .

<p>DHCP has an advantage over VLANs in this respect: VLANs are defined 
for physical network ports, while DHCP uses card addresses. With a VLAN, 
if you physically change your computer's network connection -- as in 
moving from one room to another -- you may also change its VLAN. With 
DHCP however, its subnet assignation will remain the same.</p>

<p><b>Setting up DHCP</b></p>

<p>On most Linux distributions, the DHCP server is called dhcpd, and 
is started with the standard scripts (the same as httpd, postfix, ...). 
It can be found in RPM form, as for example in <u>dhcp-3.0-3mdk.i386.rpm</u>. 
If you already have it installed on your system, try the dhcpd and 
dhcpd.conf man pages.</p>

<p>To begin, I used the webmin utility to set up a basic subnet DHCP 
service. Notice that this service has to be on network 192.168.0.0 
with netmask 255.255.0.0 . This is because it must be accessible 
from al subnets.</p>

<p align=center><img src="misc/ward/main.jpg"><br></p>

<p>I then set up each specific host, specifying it's name, hardware 
MAC address and the IP address I want to serve to it. Note the 
IP address, now on subnet 192.168.10.0 .</p>

<p align=center><img src="misc/ward/client.jpg"><br></p>

<p>To obtain the Ethernet MAC address, most cards have it printed 
on a label sticking to the card. It yours does not, you can skip this 
step for the moment. Finish setting up the DHCP service and fire up 
the hosts one by one. As each host obtains an IP address (on subnet 
192.168.1.0 for the time being), you will see it appear in file 
<u>/var/lib/dhcp/dhcpd.leases</u>. For example: </p>

<p><pre>
lease 192.168.1.198 { 
   hardware ethernet 00:00:b4:38:cf:6a;  
   client-hostname "bis";
}
</pre></p>

<p>Please note that <strong>only</strong> addresses obtained from 
the general subnet will appear here; not when you have given a 
host a fixed address.</p>

<p>Finish setting up the fixed addresses for hosts on the DHCP server.</p>

<p>Start or restart the DHCP server. Hosts should now be obtaining 
their assigned IP addresses. You can see this on a Linux host with 
the <u>ifconfig</u> utility. On a Windows box, you can use <u>winipcfg</u> 
under Win95/98/ME, or <u>ipconfig</u> (in a terminal window) under WinNT/2k.</p>

<p>But network masks should now still be the default 255.255.0.0 . This is 
not good, as hosts on subnets 192.168.10.0 and 192.168.20.0 can see each 
others (try a ping). We should now go to each host definition for dhcpd, 
and in the "edit client options" set its subnet mask as 255.255.255.0 and 
its default router to 192.168.X.1 for subnet 192.168.X.0 . For example, 
on subnet 192.168.10.0:</p>

<p align=center><img src="misc/ward/client1.jpg"><br></p>

<p>Remember to also set the network mask to 255.255.255.0 for the 
general 192.168.0.0 subnet client options.

<p>You can edit the <u>/etc/dhcpd.conf</u> file by hand. It may even 
be more clear than the webmin interface. This is what you could have:</p>

<p><pre>
#
# main subnet, accessed by default by hosts we do not know
#
subnet 192.168.0.0 netmask 255.255.0.0 {
	option subnet-mask 255.255.255.0;
	option routers 192.168.1.1;
	range 192.168.1.101 192.168.1.199;
	}

# 
# host definition, one for each known host on our LAN
#
host bis {
	option subnet-mask 255.255.255.0;
	option routers 192.168.10.1;
	hardware ethernet 00:00:b4:38:cf:6a;    # 12-digit hex MAC address
	fixed-address 192.168.10.34;
	}

</pre></p>

<p><b>Making the server accessible</b></p>

<p>In the above example, we made 192.168.X.1 the default router for each 
subnet 192.168.X.0 . But for the time being, our server has IP address 
192.168.1.1 -- which means that:<br>

<ul><li>hosts on subnet 192.168.10.0 will try to 
obtain an IP address</li>
<li>they will obtain such an address from server 192.168.1.1</li>
<li>this address will be on subnet 192.168.10.0, netmask 255.255.255.0</li>
<li>they are now unable to contact server 192.168.1.1 <strong>which is 
on another subnet!!!</strong></li>
</ul></p>

<p>This is why our server must have an extra IP address for each 
subnet: 192.168.10.1, 192.168.20.1, etc. This can easily be set up 
by creating virtual network cards eth0:1, eth0:2, etc. with webmin:</p>

<p align=center><img src="misc/ward/virtual.jpg"><br></p>

<p>You can also create this by hand. On a Mandrake or Red Hat distribution, 
the files are in <u>/etc/sysconfig/network-scripts</u>. You 
should already have a file called <u>ifcfg-eth0</u>. Copy this as 
<u>ifcfg-eth0:1</u>, <u>ifcfg-eth0:2</u>, ... changing the addresses 
and netmasks as appropriate. For example, for eth0:1 :</p>

<p><pre>
BROADCAST=192.168.10.0
DEVICE=eth0:1
NETMASK=255.255.255.0
IPADDR=192.168.10.1
NETWORK=192.168.10.0
ONBOOT=yes
BOOTPROTO=none
</pre></p>

<p>This is basically all you need. You may now have to enable routing on the 
server, for example if you 
are using it to access Internet. But be careful to disable routing between 
local subnets; 192.168.X.0 should not be able to see 192.168.Y.0 . Use 
a firewalling package such as iptables to block this. You can also use 
this to block or allow Internet access from any or all subnets if you wish.</p>

<hr>

<p>PS. Should anybody want to translate this article: I wrote it in
the spirit of  the GPL software licence. i.e. you are free (and 
indeed encouraged) to copy, post and translate it -- but please, 
PLEASE, send me notice by email!  I like to keep track of translations --
it's good for the curriculum :-)</p>


<!-- *** BEGIN copyright *** -->
<hr>
<CENTER><SMALL><STRONG>

Copyright &copy; 2002, Alan Ward.
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR> 
Published in Issue 83 of <i>Linux Gazette</i>, October 2002</H5>
</STRONG></SMALL></CENTER>
<!-- *** END copyright *** -->
<HR>

<!--startcut ==========================================================-->
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="tougher.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue83/ward.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A><A HREF="../lg_faq.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="lg_backpage.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom"  ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->