CentOS 7 DHCP Full configuration guideISC DHCP server – standart de facto solution for enterprise-level networks. Although it has it’s own minuses, it is easy to configure and is highly customizable. Let’s try to practice almost in every possibility the service provides. In our CentOS 7 DHCP Full configuration guide we will cover basic and more complicated setup, configure failover and dynamic dns updates with PowerDNS, dig in troubleshooting and monitoring and use some additional utilities. For this purpose, we will configure basic dhcp setup, and then upgrade it, making it more complicated. As usual, we will begin with CentOS 7 minimal install, and the first thing we do is installation and initial setup

CentOS 7 DHCP Full configuration guide – installation and basic setup

First – install DHCP service in one simple step and configure firewall allowing it to operate:

The basic purpose of DHCP service is to provide ip-address leases to client devices. Next, we must set up some global parameters (like lease-time, for example) and subnet-specific parameters (like gateway, DNS servers). Logic of simple configuration will look like this:

Let’s do some practice, and write working and simple config with two global parameters defining lease time at the global level, one subnet with subnet-specific parameters (or options) like DNS servers, gateway and so on, and a range of ip-addresses for lease. Full list of DHCP-options can be found in official documentation or with man dhcp-options command:

After pasting this simple config – start and enable the service and look at it’s status:

CentOS 7 DHCP Full configuration guide – Host definition

The most specific configuration level is Host level. You can define Host-specific parameters like hardware address, for DHCP-service to recognize that host (it will be very useful later on) or its name.

One of the most popular settings for DHCP service is reservation of ip-address for specific MAC. You can define this at the Host level of configuration. It is reasonable to include host definition in the subnet to provide the same options. Look at the example:

CentOS 7 DHCP Full configuration guide – Defining pools

But what if you have several pools for lease? This is where the pool level is used. It will be useful for security settings also – and we will talk about such case in this guide. Again, in our example, we will define two different pools for lease:

CentOS 7 DHCP Full configuration guide – Adding more structure levels

We can have more than one subnet for lease in one physical network. In Microsoft implementation of DHCP it is called superscopes – and in ISC DHCP it is called Shared networks. It is defined like this:

And at last, you can group shared networks, subnets and hosts into groups, which are very convenient logical containers. Of course, you can define options at the group level. This is how it looks:

CentOS 7 DHCP Full configuration guide – Allow and Deny

It is possible to allow or deny clients to take and ip-address lease from specific pool. The simplest way of doing this is using an known-clients and unknown-clients options. Known client – is a client with the Host definition in configuration, and this definition can be at any level. For our example, I will define a group of known clients with the host definitions, and two pools for known and unknown clients. In testing environment, our pools will be in one subnet, but in the production it’s reasonable to give unknown clients ip-addresses from different subnet:

CentOS 7 DHCP Full configuration guide – Classes

In testing environment it is easy to give different clients diffenert IP-address pools depending on their MAC, but in production environment, it will be time-consuming. Is there a way to give different address pools depending on the hardware type or vendor? This is where classes can help.

For example, we have ordinary computers and Cisco VoIP-phones in our network. We are going to divide them by giving computers one dedicated IP-address pool, and give Cisco VoIP phones addresses from another pool. To join all Cisco VoIP phones in one class we can use vendor part of MAC-address. This is one of MAC-addresses – 58:3F:54:D4:07:58. First three numbers are the same for vendor, so our class identifier will be 58:3F:54. Then, there are two rules you must remember. First – this is Ethernet hardware, and this must be signified with “1” at the front, so our string will look like: 1:58:3F:54. And second – if part of MAC begins with 0, drop first zero. Here is an example: 00:05:EF transforms to 0:5:EF. Now – back to our config:

CentOS 7 DHCP Full configuration guide – Configuring Failover

Configuring failover is simple – yet there is very tricky detail -port definition, and it is described later in this part of article. I will not copy all commands for installing and setting up secondary server – it’s all the same. The config is the same also. But then the differences begin. When configuring failover, one server is primary, and another – secondary. So, in the /etc/dhcp/dhcpd.conf of the Primary server you should add these definition in Global parameters section:

Definition for the secondary server differs, there is no need to define mclt and split, so we will just comment these strings:

And in the subnet definition – add this string for every pool defined: failover peer “dhcp-failover”; This must be done on primary and secondary servers without any difference in settings

Final thing – the firewall rules for port, defined in config:

Now if you check log message, you can see our cluster working without any problem:

Now the tricky detail I’ve mentioned earlier – port. The dedicated port for DHCP failover is 647, so SELinux will allow it without any problems. However, if you are willing to choose another port, you must add it to the SELinux policy configuration:

CentOS 7 DHCP Full configuration guide – detecting IP conflicts and finding leases

Sad to say, but DHCP does not have this function! But here is the solution. We need to  install additional packet – arpwatch. It will produce logs of new IP address leases and maintain a database of MAC-IP pairings. Also it can e-mail reports when such pairing is changed or added. Let’s install it:

Main configuration file is located in : /etc/sysconfig/arpwatch – but we don’t need to edit it right now, it is used for e-mail settings mostly. Arpwatch produces logs like these:

There is no command to show dhcp leases as well. But there is another way to view all IP-leases – view this :  /var/lib/dhcpd/dhcpd.leases  file: