Don't kill dhcp client (don't force renew of IP), since again it will NOT work if you repeat that a few times - a VM will broadcast dhcp discover messages, all DHCP server will receive it and all DHCP servers will offer a lease/ip to your VMs - the one DHCP server to be "quicker" to send its dhcp offer, will "win" and VM will get its IP... you have "race condition" in any network with more than 1 DHCP server... It's a "wrong" setup effectively.
Cheers On Tue, Jul 9, 2019, 22:47 Andrija Panic <andrija.pa...@gmail.com> wrote: > Jesse, > > You can experiment with firewall rules/SG, but in general you should not > have more than 1 DHCP server in a single network. I assume your VMs would > be assigned one part of the net/subnet, while your external DHCP server > should be serving your non-ACS infra - i.e. if your acs network for VMs is > 192.168.1.1-128, while 192.168.1.129-254(non-ACS infra) should be served by > your external DHCP, then I would think of blocking dhcp ports (dhcp > discover) from whole 192.168.1.1-128 network on your external DHCP server - > i.e. this way your external DHCP SERVER would be "deaf" to all dhcp > discover messages sent from ACS VMs to itself and thus would not issue > leases to ACS VMs. > > Hope that makes sense. > > Best > Andrija > > On Tue, Jul 9, 2019, 21:16 <jesse.wat...@gmail.com> wrote: > >> My vm was assigned an ip from our endpoint DHCP server, not from VR. Do I >> need to add firewall rule(s) to force DHCP request to VR? I probably >> missed >> a part of setup w/KVM hosts and or within management when I defined the >> zone/pod/... >> >> This seems to be correct, VR is running on a different host then the vm. >> >> Chain i-2-11-VM-eg (1 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 RETURN all -- * * 0.0.0.0/0 >> 0.0.0.0/0 >> >> Chain i-2-11-def (2 references) >> pkts bytes target prot opt in out source >> destination >> 0 0 ACCEPT all -- * * 0.0.0.0/0 >> 0.0.0.0/0 state RELATED,ESTABLISHED >> 0 0 ACCEPT udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> udp spt:68 dpt:67 >> 0 0 ACCEPT udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 >> --physdev-is-bridged >> udp spt:67 dpt:68 >> 0 0 DROP all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> ! match-set i-2-11-VM src >> 0 0 RETURN udp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> match-set i-2-11-VM src udp dpt:53 >> 0 0 RETURN tcp -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> match-set i-2-11-VM src tcp dpt:53 >> 0 0 i-2-11-VM-eg all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 >> --physdev-is-bridged >> match-set i-2-11-VM src >> 15 1963 i-2-11-VM all -- * * 0.0.0.0/0 >> 0.0.0.0/0 PHYSDEV match --physdev-out vnet0 >> --physdev-is-bridged >> >> >> >> Thanks for quick response Andrija! >> >> - Jesse >> >> >> >> >> On Tue, Jul 9, 2019 at 10:39 AM Andrija Panic <andrija.pa...@gmail.com> >> wrote: >> >> > ACS will only offer DHCP leases to its VMs, via DHCP reservation.. If >> you >> > have another DHCP server in your area, than it might be quicker to >> offer a >> > lease to a VM. You have to either remove your non-ACS DHCP server >> > completely, OR make sure it uses reservation for non-ACS servers/hosts >> i.e. >> > NOT let it issue leases freely to anyone who asks for it. Pure DHCP >> > "problem" - i.e. nothing to do with ACS specifically. >> > >> > Best, >> > Andrija >> > >> > On Tue, Jul 9, 2019, 20:27 <jesse.wat...@gmail.com> wrote: >> > >> > > Have a DHCP issue where vm pulls from ACS proxy properly sometimes and >> > > other when it pulls from our normal dhcp server for end-points. >> > > >> > > Network layout is flat, and I ACS is using basic network with security >> > > groups. IP range for acs is within range of our normal network so vms >> > and >> > > endpoints will flow without additional hardware. How do I ensure dhcp >> > > requests are served by router vm and not our normal dhcp server? >> > > >> > > TIA, >> > > Jesse >> > > >> > >> >
