Page MenuHomePhabricator

Test dhcp-option 82
Open, LowPublic0 Estimated Story Points

Description

Added the following to asw2-b-eqiad:

[edit vlan cloud-hosts1-b-eqiad]
+    forwarding-options {
+        dhcp-security {
+            option-82 {
+                remote-id {
+                    host-name;
+                }
+            }
+        }
+    }

Ran tcpdump on install1002 sudo tcpdump -s0 -w dhcp-82.pcap port 67

We can see the new option being added:

Option: (82) Agent Information Option
    Length: 60
    Option 82 Suboption: (1) Agent Circuit ID
        Length: 32
        Agent Circuit ID: 78652d342f302f33392e303a636c6f75642d686f73747331...
        (Which translate to xe-4/0/39.0:cloud-hosts1-b-eqiad)
    Option 82 Suboption: (2) Agent Remote ID
        Length: 24
        Agent Remote ID: 617377322d622d65716961643a78652d342f302f33392e30
       (Which translates to (asw2-b-eqiad:xe-4/0/39.0)

Related Objects

Event Timeline

ayounsi closed this task as Resolved.Apr 18 2019, 4:12 PM
ayounsi triaged this task as Low priority.
ayounsi created this task.
Restricted Application added a project: SRE. · View Herald TranscriptApr 18 2019, 4:12 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Volans reopened this task as Open.Wed, Feb 3, 3:32 PM
Volans claimed this task.

Re-opening as we're aiming to implement it this quarter.

Mentioned in SAL (#wikimedia-operations) [2021-02-03T15:32:42Z] <volans> disabling puppet on install1003 for a quick test for T221388

Mentioned in SAL (#wikimedia-operations) [2021-02-03T16:13:14Z] <volans> enabled puppet on install1003 after the test T221388

Volans added a comment.Wed, Feb 3, 4:16 PM

I tested the config with:

host sretest1001 {
    host-identifier option agent.circuit-id "ge-3/0/15.0:private1-d-eqiad";
     fixed-address sretest1001.eqiad.wmnet;
}

And it seemed to work as expected. I need to perform a more in depth test as I want to reimage sretest1001 with the same config so to ensure that this works across the whole reimage process, but looks promising.
Another bits to look at is the Junos side of the configuration.
The tested configuration was:

ayounsi@asw2-d-eqiad# show | compare 
[edit vlans private1-d-eqiad]
+    forwarding-options {
+        dhcp-security {
+            option-82 {
+                remote-id {
+                    host-name;
+                }
+            }
+        }
+    }

We can check if we could have the switch hostname as part of the injected data.

Volans added a comment.EditedWed, Feb 3, 4:52 PM

Adding the circuit-id prefix host-name setting and removing the remote-id that we're not gonna use, the circuit ID includes the switch hostname too, so becoming asw2-d-eqiad:ge-3/0/15.0:private1-d-eqiad. That should be enough to be able to set the DHCP with in a unique manner.

References used:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/example-setting-up-dhcp-option82-no-relay.html#id-setting-up-dhcp-option-82-on-the-switch-with-no-relay-els

http://www.miquels.cistron.nl/isc-dhcpd/

Volans added a comment.Wed, Feb 3, 6:18 PM

The config for the above test used:

circuit-id {
    prefix {
        host-name;
    }
}

Change 663233 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] dhcpd: create and include files for option 82

https://gerrit.wikimedia.org/r/663233

Change 663234 had a related patch set uploaded (by Volans; owner: Volans):
[operations/puppet@production] dhcpd: move sretest1002 to option 82

https://gerrit.wikimedia.org/r/663234

Change 663233 merged by Volans:
[operations/puppet@production] dhcpd: create and include files for option 82

https://gerrit.wikimedia.org/r/663233

Change 663234 merged by Volans:
[operations/puppet@production] dhcpd: move sretest1002 to option 82

https://gerrit.wikimedia.org/r/663234

With the above patches merged, and with:

root@install1003:/etc/dhcp# cat opt82-entries.ttyS1-115200
host sretest1002 {
    host-identifier option agent.circuit-id "asw2-d-eqiad:ge-6/0/5.0:private1-d-eqiad";
    fixed-address sretest1002.eqiad.wmnet;
}

The DHCP requests from sretest1002 seems to work fine. I'll shortly test also a reimage.

BBlack added a subscriber: BBlack.Thu, Feb 11, 1:40 PM

I'm probably not up to date on concrete plans built on top of this, but it seems like having the numeric vlan id might be useful metadata here in addition to the abstract name of the vlan (e.g. scenarios where we might do vlan trunking on the main interface of the host and need to see or match that primary-vlan number in some interface setup scripts?)

From the doc:

Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):

[edit vlans vlan-name forwarding-options dhcp-security option-82]
user@switch# set circuit-id use-vlan-id

So it seems possible.

I'm probably not up to date on concrete plans built on top of this, but it seems like having the numeric vlan id might be useful metadata here in addition to the abstract name of the vlan (e.g. scenarios where we might do vlan trunking on the main interface of the host and need to see or match that primary-vlan number in some interface setup scripts?)

@BBlack The option on the JunOS side allows to pick either the name or the ID, not both. In terms of assured uniqueness we can surely use the ID if the name can be duplicated (I don't think that Netbox enforces it).