Send dhcp-users mailing list submissions to
        dhcp-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
        dhcp-users-requ...@lists.isc.org

You can reach the person managing the list at
        dhcp-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."


Today's Topics:

   1. help me explain  (Cuttler, Brian R (HEALTH))
   2. Re: help me explain  (Simon Hobson)
   3. Re: help me explain (Cuttler, Brian R (HEALTH))
   4. Re: help me explain  (Simon Hobson)
   5. RE: help me explain  (Cuttler, Brian R (HEALTH))


----------------------------------------------------------------------

Message: 1
Date: Mon, 17 Oct 2016 15:54:44 +0000
From: "Cuttler, Brian R (HEALTH)" <brian.cutt...@health.ny.gov>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Cc: "Muller, Daniel V (HEALTH)" <daniel.mul...@health.ny.gov>
Subject: help me explain 
Message-ID:
        
<by1pr09mb060001cb42cb08753b9b9513ba...@by1pr09mb0600.namprd09.prod.outlook.com>
        
Content-Type: text/plain; charset="us-ascii"

Please help me to explain to another admin at my site, or tell me that I'm 
wrong and what I need to do in this case.

We are in process of restructuring our network in one of our buildings. There 
are good aspects of this, better redundancy, dual paths from each switch to the 
primary router on site, etc, and there are parts of this that are not strictly 
necessary and will in some ways make more work.

We are dividing the 6 floor building from a /21 network and creating a new /24 
on each floor, we are for the first time in this building enabling DDNS. (yes, 
we have a net of two /24 networks free when we are done)

The positives are that the printers will now provide an identifier (string 
matching their inventory tag) to DHCP then to DNS, and we will be able to 
create DNS short names pointing to their FQDN, so we don't need to remap 
anything from either the print servers or directly mapped printers - well, for 
printers mapped by ID rather than IP.

I know from when we did something similar at the first building which is using 
a /22 network for the entire building (regardless of floor) that I can use a 
single subnet name, and can have one named Forward table but needed 4 Reverse 
tables. No problem there. (Is there a better/easier way)?

The issue in question is that while it is only a /24 on each floor and I can 
use one Forward and one Reverse table FQDN (I believe) needs to be unique by 
floor. IE if a printer moves I don't need to lock it down, never need to enter 
it in DHCP, but do need to change its CNAME to point to the new FQDN since each 
floor requires a different subnet name.

Am I correct in my understanding, or is there a way to maintain unique address 
ranges by floor but use a single subnet name for the entire building?

Many thanks,
Brian



------------------------------

Message: 2
Date: Mon, 17 Oct 2016 19:31:53 +0100
From: Simon Hobson <dh...@thehobsons.co.uk>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: help me explain 
Message-ID: <b3103a07-dcc8-4685-bd24-7536d8fcf...@thehobsons.co.uk>
Content-Type: text/plain; charset=us-ascii


On 17 Oct 2016, at 16:54, "Cuttler, Brian R (HEALTH)" 
<brian.cutt...@health.ny.gov> wrote:

> We are in process of restructuring our network in one of our buildings. There 
> are good aspects of this, better redundancy, dual paths from each switch to 
> the primary router on site, etc, and there are parts of this that are not 
> strictly necessary and will in some ways make more work.

It's always "work", but if you do it right it's usually worth it eventually.

> We are dividing the 6 floor building from a /21 network and creating a new 
> /24 on each floor, we are for the first time in this building enabling DDNS. 
> (yes, we have a net of two /24 networks free when we are done)
> 
> The positives are that the printers will now provide an identifier (string 
> matching their inventory tag) to DHCP then to DNS, and we will be able to 
> create DNS short names pointing to their FQDN, so we don't need to remap 
> anything from either the print servers or directly mapped printers - well, 
> for printers mapped by ID rather than IP.
> 
> I know from when we did something similar at the first building which is 
> using a /22 network for the entire building (regardless of floor) that I can 
> use a single subnet name, and can have one named Forward table but needed 4 
> Reverse tables. No problem there. (Is there a better/easier way)?

Yes, that's correct.
All the DHCP subnets can share a single forward DNS zone. If they were smaller 
than /24 subnets then you'd also find that some of them would be sharing 
reverse DNS zone as well. The only reason you need separate DNS reverse zones 
is that you can only split the URL at a "dot" - so for example if you were 
using 172.16.0.0/21, you'd have to use 0.16.172.in-addr.arpa, 
1.16.172.in-addr.arpa, and so on.

You don't need to specify the reverse zone within the subnet declarations in 
DHCP - the server will figure that out automgically, as in a client with IP 
address 172.16.1.57 would automatically trigger a reverse pointer update for 
57.1.16.172.in-addr.arpa and if your DNS is correctly setup then the DHCP 
server will automagically figure out the zone to update.
The main reason for specifying DDNS zones in DHCP is to assign an update key 
for secured updates.

> The issue in question is that while it is only a /24 on each floor and I can 
> use one Forward and one Reverse table FQDN (I believe) needs to be unique by 
> floor. IE if a printer moves I don't need to lock it down, never need to 
> enter it in DHCP, but do need to change its CNAME to point to the new FQDN 
> since each floor requires a different subnet name.

You don't have to use different forward zones per floor - they can all use 
(say) "magabuildingone.mycompany.com" and moving a device around will not 
change it's DNS name. Or, you can choose to use different names, eg 
floor1.magabuildingone.mycompany.com, floor2.magabuildingone.mycompany.com, and 
so on. Some people go further and have different DNS names for different 
departments (even if they are on the same subnet (eg 
accounts.magabuildingone.mycompany.com, sales.magabuildingone.mycompany.com, 
...)
That's really a management decision, though the technical issues may be part of 
the input to that choice.



------------------------------

Message: 3
Date: Mon, 17 Oct 2016 19:21:49 +0000
From: "Cuttler, Brian R (HEALTH)" <brian.cutt...@health.ny.gov>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: help me explain
Message-ID: <c717ab3a-f32b-4f21-bead-cc86f2384...@health.ny.gov>
Content-Type: text/plain; charset="utf-8"



On 10/17/16, 3:13 PM, "" <> wrote:

Simon, Bruce,
    
When I was setting up the /24 by floor I'd specified the dynamic range from 
30-224 so that I could use lower numbers as fixed addresses for network 
infrastructure and the upper addresses for anything that wasn't amenable to 
dynamic addressing, old HW, devices I really needed to lock down in DHCP.
    
So my DHCP config looks like this ? with one such stanza per building floor.

I am not certain how to implement this addressing structure with a single 
domain name, I would simply use the building name and drop the vlan id, so 
?dai.wadsworth.org? and maintain the addressing the way we wanted to.

Moving forward we are routing the vlan per floor to the specific floor only. 
These are truly separate networks.

Do we simply put the 6 subnet statements inside of a GROUP statement and move 
the ddns-domainname and ddns-rev-domainname statements into the outer structure?

# Subnet Declaration default_vlan for DAI 6th floor, Vlan 126 10.57.46.0/24
subnet 10.57.46.0 netmask 255.255.255.0 {
authoritative;
option routers 10.57.46.1;
update-static-leases on;
update-optimization off;
      ddns-domainname = "dai126.wadsworth.org";
      ddns-rev-domainname "in-addr.arpa.";
        option domain-name-servers admin.wadsworth.org, bionsc.wadsworth.org, 
ldap1.wadsworth.org, 10.50.156.21;
        pool {
              range 10.57.46.30  10.57.46.225;
              allow unknown-clients;
              allow known-clients;
              option domain-name-servers admin.wadsworth.org, 
bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
        }
}

Thank you,
Brian


    
    > -----Original Message-----
    > From: dhcp-users [mailto:dhcp-users-boun...@lists.isc.org] On Behalf Of
    > Simon Hobson
    > Sent: Monday, October 17, 2016 2:32 PM
    > To: Users of ISC DHCP <dhcp-users@lists.isc.org>
    > Subject: Re: help me explain
    > 
    > ATTENTION: This email came from an external source. Do not open
    > attachments or click on links from unknown senders or unexpected emails.
    > 
    > 
    > On 17 Oct 2016, at 16:54, "Cuttler, Brian R (HEALTH)"
    > <brian.cutt...@health.ny.gov> wrote:
    > 
    > > We are in process of restructuring our network in one of our buildings.
    > There are good aspects of this, better redundancy, dual paths from each
    > switch to the primary router on site, etc, and there are parts of this
    > that are not strictly necessary and will in some ways make more work.
    > 
    > It's always "work", but if you do it right it's usually worth it
    > eventually.
    > 
    > > We are dividing the 6 floor building from a /21 network and creating a
    > > new /24 on each floor, we are for the first time in this building
    > > enabling DDNS. (yes, we have a net of two /24 networks free when we
    > > are done)
    > >
    > > The positives are that the printers will now provide an identifier
    > (string matching their inventory tag) to DHCP then to DNS, and we will be
    > able to create DNS short names pointing to their FQDN, so we don't need to
    > remap anything from either the print servers or directly mapped printers -
    > well, for printers mapped by ID rather than IP.
    > >
    > > I know from when we did something similar at the first building which is
    > using a /22 network for the entire building (regardless of floor) that I
    > can use a single subnet name, and can have one named Forward table but
    > needed 4 Reverse tables. No problem there. (Is there a better/easier way)?
    > 
    > Yes, that's correct.
    > All the DHCP subnets can share a single forward DNS zone. If they were
    > smaller than /24 subnets then you'd also find that some of them would be
    > sharing reverse DNS zone as well. The only reason you need separate DNS
    > reverse zones is that you can only split the URL at a "dot" - so for
    > example if you were using 172.16.0.0/21, you'd have to use 0.16.172.in-
    > addr.arpa, 1.16.172.in-addr.arpa, and so on.
    > 
    > You don't need to specify the reverse zone within the subnet declarations
    > in DHCP - the server will figure that out automgically, as in a client
    > with IP address 172.16.1.57 would automatically trigger a reverse pointer
    > update for 57.1.16.172.in-addr.arpa and if your DNS is correctly setup
    > then the DHCP server will automagically figure out the zone to update.
    > The main reason for specifying DDNS zones in DHCP is to assign an update
    > key for secured updates.
    > 
    > > The issue in question is that while it is only a /24 on each floor and I
    > can use one Forward and one Reverse table FQDN (I believe) needs to be
    > unique by floor. IE if a printer moves I don't need to lock it down, never
    > need to enter it in DHCP, but do need to change its CNAME to point to the
    > new FQDN since each floor requires a different subnet name.
    > 
    > You don't have to use different forward zones per floor - they can all use
    > (say) "magabuildingone.mycompany.com" and moving a device around will not
    > change it's DNS name. Or, you can choose to use different names, eg
    > floor1.magabuildingone.mycompany.com,
    > floor2.magabuildingone.mycompany.com, and so on. Some people go further
    > and have different DNS names for different departments (even if they are
    > on the same subnet (eg accounts.magabuildingone.mycompany.com,
    > sales.magabuildingone.mycompany.com, ...) That's really a management
    > decision, though the technical issues may be part of the input to that
    > choice.
    > 
    > _______________________________________________
    > dhcp-users mailing list
    > dhcp-users@lists.isc.org
    > https://lists.isc.org/mailman/listinfo/dhcp-users
    


------------------------------

Message: 4
Date: Mon, 17 Oct 2016 21:13:35 +0100
From: Simon Hobson <dh...@thehobsons.co.uk>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: help me explain 
Message-ID: <38937631-dceb-4ec6-a2e1-60077a6b2...@thehobsons.co.uk>
Content-Type: text/plain; charset=windows-1252

"Cuttler, Brian R (HEALTH)" <brian.cutt...@health.ny.gov> wrote:

> So my DHCP config looks like this ? with one such stanza per building floor.
> 
> I am not certain how to implement this addressing structure with a single 
> domain name

The domain name is irrelevant - it does NOT affect your addressing structure

> Do we simply put the 6 subnet statements inside of a GROUP statement and move 
> the ddns-domainname and ddns-rev-domainname statements into the outer 
> structure?

That's one way to do it, or you can just use the same domain name statement in 
each one. YOu can omit ddns-rev-domainname as it works out of the box with 
defaults - you only need to specify it if doing things like bodging around 
doing dynamic DNS on a reverse zone that's not on a /24 boundary.


subnet 10.57.46.0 netmask 255.255.255.0 {
     ddns-domainname = "dai.wadsworth.org";
...
}

subnet 10.57.47.0 netmask 255.255.255.0 {
     ddns-domainname = "dai.wadsworth.org";
...
}

subnet 10.57.48.0 netmask 255.255.255.0 {
     ddns-domainname = "dai.wadsworth.org";
...
}

and so on

it really is that simple !


BTW - you have a few redundancies in your config :

      option domain-name-servers admin.wadsworth.org, bionsc.wadsworth.org, 
ldap1.wadsworth.org, 10.50.156.21;
       pool {
             range 10.57.46.30  10.57.46.225;
             allow unknown-clients;
             allow known-clients;
             option domain-name-servers admin.wadsworth.org, 
bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;

You've duplicated domain-name-servers and your allow statements (unless you 
have something at a higher inheritance level to override) simply implement the 
defaults.



------------------------------

Message: 5
Date: Mon, 17 Oct 2016 20:20:53 +0000
From: "Cuttler, Brian R (HEALTH)" <brian.cutt...@health.ny.gov>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: RE: help me explain 
Message-ID:
        
<by1pr09mb0600ef7d9c2c72627166bce1ba...@by1pr09mb0600.namprd09.prod.outlook.com>
        
Content-Type: text/plain; charset="us-ascii"

Simon,

Thank you, I will put these changes into the config, immediately.

Thank you very much,
Brian


> -----Original Message-----
> From: dhcp-users [mailto:dhcp-users-boun...@lists.isc.org] On Behalf Of
> Simon Hobson
> Sent: Monday, October 17, 2016 4:14 PM
> To: Users of ISC DHCP <dhcp-users@lists.isc.org>
> Subject: Re: help me explain
> 
> ATTENTION: This email came from an external source. Do not open
> attachments or click on links from unknown senders or unexpected emails.
> 
> 
> "Cuttler, Brian R (HEALTH)" <brian.cutt...@health.ny.gov> wrote:
> 
> > So my DHCP config looks like this - with one such stanza per building
> floor.
> >
> > I am not certain how to implement this addressing structure with a
> > single domain name
> 
> The domain name is irrelevant - it does NOT affect your addressing
> structure
> 
> > Do we simply put the 6 subnet statements inside of a GROUP statement and
> move the ddns-domainname and ddns-rev-domainname statements into the outer
> structure?
> 
> That's one way to do it, or you can just use the same domain name
> statement in each one. YOu can omit ddns-rev-domainname as it works out of
> the box with defaults - you only need to specify it if doing things like
> bodging around doing dynamic DNS on a reverse zone that's not on a /24
> boundary.
> 
> 
> subnet 10.57.46.0 netmask 255.255.255.0 {
>      ddns-domainname = "dai.wadsworth.org"; ...
> }
> 
> subnet 10.57.47.0 netmask 255.255.255.0 {
>      ddns-domainname = "dai.wadsworth.org"; ...
> }
> 
> subnet 10.57.48.0 netmask 255.255.255.0 {
>      ddns-domainname = "dai.wadsworth.org"; ...
> }
> 
> and so on
> 
> it really is that simple !
> 
> 
> BTW - you have a few redundancies in your config :
> 
>       option domain-name-servers admin.wadsworth.org,
> bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
>        pool {
>              range 10.57.46.30  10.57.46.225;
>              allow unknown-clients;
>              allow known-clients;
>              option domain-name-servers admin.wadsworth.org,
> bionsc.wadsworth.org, ldap1.wadsworth.org, 10.50.156.21;
> 
> You've duplicated domain-name-servers and your allow statements (unless
> you have something at a higher inheritance level to override) simply
> implement the defaults.
> 
> _______________________________________________
> dhcp-users mailing list
> dhcp-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users


------------------------------

Subject: Digest Footer

_______________________________________________
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users

------------------------------

End of dhcp-users Digest, Vol 96, Issue 20
******************************************

Reply via email to