up

Lab 4

Start Early

Structure

Network A

Name OS Role IP
Flank WServer2016 DHCP Server, Relay .2
Roger W7 DHCP Client .12, reserved
Russet CentOS DHCP Client dynamic

Network B

Name OS Role IP
Yukon CentOS DHCP Server .2
Gold CentOS DHCP Server Secondary .200
sirloin WServer2012 DHCP Client dynamic
Russet CentOS DHCP Client .48, reserved

Activity 2

2.4

Save a copy of the dhcpd.conf file for report question 4. The instructions do not mention this.

Activity 3 - Capturing DORA

3.1 and 3.2 - DORA Capture

test client server pcap
1 WS2012 (sirloin) WS2016 (Flank) windowsunderwindows
2 CentOS (Russet) WS2016 (Flank) linuxunderwindows
3 WS2012 (sirloin) CentOS (Yukon) windowsunderlinux
4 CentOS (Russet) CentOS (Yukon) linuxunderlinux

3.3 - Broadcast Flags

  1. Change registry keys on server and client
  2. release, start capture, renew, stop capture on Roger
Test Client DhcpConnForceBroadcastFlag Server IgnoreBroadcastFlag pcap
4 1 - Broadcast 0 3.3.1
3 1 1 3.3.2
2 0 - Unicast 1 3.3.3
1 0 0 3.3.4

Activity 4 - release and renewal process

Recording bootp packets for 2 minutes to see the renewal process

4.1

Release and renew under windows DHCP server.

See table in 4.2 for packet captures

4.2

Release and renew under linux DHCP server.

Remember to clear arp on the server before renew

test client server pcap
1 W7 (Roger) WServer (Flank) windowsunderwindows
2 CentOS (Russet) WServer (Flank) linuxunderwindows
3 WS2012 (sirloin) CentOS (Yukon) windowsunderlinux
4 CentOS (Russet) CentOS (Yukon) linuxunderlinux

4.3 - Lease information

dhclient.leases.txt from Russet
windows.leases.txt from B-Sirloin

Activity 5 - DHCP Relay

5.1 - linux dhcp relay

Step D

The command here is incorrect. Instead of:

cp /libsystemd/system/dhcrelay.service /etc/system/system

It should be:

cp /lib/systemd/system/dhcrelay.service /etc/systemd/system

Step E

The command here is incorrect. Instead of:

vim /etc/system/systemdhcrelay.service

It should be:

vim /etc/systemd/system/dhcrelay.service

Step g/h

pcap on Yukon, as linuxrelay

They don’t tell you until the end of 5.2, but you also need to dump dhclient.leases here to prove the ip came from the other server.

dhclient.leases.relay.txt on Russet

5.2 and 5.3 - windows dhcp relay

You need to setup the Windows relay for activity 6, but otherwise don’t bother with captures here, the report doesn’t ask for them.

Activity 6 - DHCP Failover

The Beginning of the End

6.1 - Setup

My VM Structure

Network A

OS DHCP Role Name
Windows RELAY flank
Windows Client sirloin

Network B

OS DHCP Role Name
Linux PRIMARY Yukon
Linux SECONDARY Gold
Linux Client Russet

Configuration

Remember to Change the IP addresses to match your bench.

PRIMARY

# dhcpd.conf

# option definitions common to all supported networks
option domain-name "networkA.com";
option domain-name-servers 8.8.8.8, 8.8.4.4;

# Configure Failover
# I named it alaskan to fit with the potato theme
failover peer "alaskan" {
	primary;						# This is the Primary server
	address 10.150.12.2;			# This server's IP
	port 321;						# The port we use to talk to Secondary
	peer address 10.150.12.200;		# SECONDARY's IP
	peer port 321;					# port Secondary uses to communicate with us
	max-response-delay 60;			# I'm not sure from here down
	max-unacked-updates 10;
	mclt 3600;
	split 128;
	load balance max seconds 3;
}

# How long do leases last for?
default-lease-time 120;
max-lease-time 120;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# NOTE - Copy paste all lines below here into SECONDARY where it says to.

# Network B subnet
subnet 10.150.12.0 netmask 255.255.255.0 {
	pool{
		failover peer "alaskan";
		# Note: remove "dynamic-bootp"
		range 10.150.12.40 10.150.12.42;
		range 10.150.12.46 10.150.12.60;
	}
	option broadcast-address 10.150.12.255;
	option routers 10.150.12.254;
}

# Network A subnet
subnet 10.150.11.0 netmask 255.255.255.0 {
	pool{
		failover peer "alaskan";
		range 10.150.11.80 10.150.11.90;
	}
	option broadcast-address 10.150.11.255;
	option routers 10.150.11.254;
}

# Reservation for 48
host Russet {
	hardware ethernet 00:0c:29:c7:60:58;
	fixed-address 10.150.12.48;
}

SECONDARY

# dhcpd.conf

# option definitions common to all supported networks...
option domain-name "networkB.com";
option domain-name-servers 8.8.8.8, 8.8.4.4;


# Secondary
failover peer "alaskan" {
	secondary;					# This is the backup
	address 10.150.12.200;
	port 321;
	peer address 10.150.12.2;
	peer port 321;
	max-response-delay 60;
	max-unacked-updates 10;
	load balance max seconds 3;
	# NOTE: There are lines in PRIMARY that aren't here.
	# They cannot be here. This is correct.
}

default-lease-time 120;
max-lease-time 120;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# NOTE
# Here, copy/paste the EXACT SAME subnet and host delcarations as in PRIMARY.

Allowing the failover servers to communicate

Attempt 1 - Firewall Rules

firewall-cmd --zone=public --add-port=321/udp –-permanent
firewall-cmd --zone=public --add-port=321/tcp –-permanent

This allows traffic through the port, but the OS might not allow DHCPD to bind to the port. SElinux is the likely culprit.

Attempt 2 - Disable SELinux

This sets SELinux to permissive mode, which only logs things, no blocking.

setenforce 0

For me, this wasn’t enough.

Attempt 3 - Disable SELinux, for real this time.

tail -f /var/log/messages

The above command shows the system log in real time. SELinux, while permissive, was still denying DHCPD access to port 321.

vim /etc/selinux/config

and replace enforcing with disabled. Use :wq and then:

shutdown -r now

Refer to lab1 - secret commands to make CentOS less terrible to turn networking back on.

Remember to do this on both VMs.

6.2 - Capture… what? Oh, everything.

Neither the report nor the Instructions provide what specifically needs to be done.

Structure

Name | Meaning —|— PRIMARY | CentOS Primary dhcp server on network B SECONDARY | CentOS Secondary dhcp server on network B RELAY | windows server 2k16 dhcp relay agent on network A WC | Windows client on network A LC | Linux client on network B

Steps

The windows DHCP relay is configured to send to PRIMARY. Add a second destination, SECONDARY.

  1. Make sure both PRIMARY and SECONDARY and RELAY are working correctly.
  2. skip ‘The Loop’ - go right to 10a. (You’ll jump back to the loop from there.)

The Loop

If 10a hasn’t told you to ‘run the loop’ yet, goto 10a.

Report 10 a - Only Secondary

  1. Stop DHCPD on PRIMARY
  2. run the loop.

Report 10 b - Only Primary

  1. start DHCPD on PRIMARY
  2. stop DHCPD on SECONDARY
  3. run the loop

Report 10 c - Both running

  1. start DHCPD on SECONDARY
  2. run the loop

Clean-Up

  1. Extract all ipconfig captures to flash drive
  2. Extract all RELAY pcaps to flash drive
  3. Extract all dhcp.leases files to flash drive
  4. Extract all PRIMARY pcaps to flash drive
  5. Backup ALL vms used.

Celebrating

  1. Congrats, you’re done with the lab!
  2. Good luck with the report.

Assorted bonus notes below this point

God help us

Lab

Event Action Time Spent Running Total
Class Lab 1 Got signoff 1 2 hours 2 hours
Class Lab 2 Not enough to get signoff 2 2 hours 4 hours
Oct 16th up to act6, TA MIA though. 6 hours 10 hours
Oct 18th saving and restoring VMS killed DHCPD. Fixed that. 2 hours 12 hours
Oct18th Activity 6 2 Hours 14 Hours

Having your caffeine wear off in the middle of a work session is just a bad time.

Lab Report

Haven’t started yet, I’m guessing this will take 4 to 6 hours.

Lab Setup Protocol