DHCP multiple shared networks vs multiple subnets, global-params vs shared-network-params vs subnet-params

Hello,

I’ve been using VyOS since it was Vyatta, so I’m very familiar with it, but there are always things to learn, and I’m hoping someone can fill me in on a couple topics related to the DHCP server.

My first question is regarding having multiple shared-network-names, each with one subnet, vs having a single shared-network-name that contains multiple subnets. What are the differences between these two approaches? Why would you choose one over the other? Are there things you can do with one that you can’t do with another? Etc.

My second question is regarding global-parameters vs shared-network-parameters vs subnet-parameters. I gather that these are all raw parameters in the format you would place them in dhcpd.conf, but I’m trying to understand the difference between them (other than just their progressively-smaller scopes, which I understand). As an example, let’s consider DHCPD DynamicDNS updates. I’ve gathered from some Google searching that I can enable this in VyOS with something like this (I have not tried this yet, because I want to better understand these scopes and their raw options before I do):

global-parameters 'ddns-update-style standard;'
global-parameters 'ddns-rev-domainname "in-addr.arpa."'
global-parameters 'deny client-updates;'
global-parameters 'do-forward-updates on;'
global-parameters 'update-optimization off;'
global-parameters 'update-conflict-detection off;'
global-parameters 'key "pdns-key" { algorithm hmac-sha256; secret "passcode"; };'
global-parameters 'zone example.org. { primary 11.22.33.44; key pdns-key; }'
global-parameters 'zone 1.168.192.in-addr.arpa. { primary 11.22.33.44; key key-name; }'

(See StackExchange and UniFi Forums for where I learned to put these together.)

So, to continue this example, if I didn’t want all subnets across all shared networks to do DynamicDNS updates, could I instead put all of these same parameters in shared-network-params? What about subnet-params? How does all of this relate to what actually goes into the dhcpd.conf file?

Thanks in advance for helping me understand this better, to reduce my changes of breaking something. :slight_smile:

Nick

After lots of reading, including reading the DHCPD (ISC DHCP) documentation, I’ve at least figured out why you would use one/multiple shared network names vs one/multiple subnets. It’s about physical vs virtual networks and authoritatize: disable vs authoritative: enable. Since DHCP traffic occurs without IP addresses, it’s important to differentiate the physical network from VLANs to avoid DHCP traffic conflicts. If you have 5 distinct physical networks (ports) with different subnets and no VLANs, you need 5 shared network names (1 for each port), each with one subnet, and each shared network can be authoritative: enable. But if you have 1 physical network (1 port, or multiple ports bonded as a single port using LACP) and 5 VLANs, you need 1 shared network name (for the 1 port) with 5 subnets in order to use authoritative: enable. You can use 5 shared network names with 1 subnet each, but you’ll have to set authoritative: disable, or else the DHCP traffic will interfere. This is a potential vulnerability, because then rogue DHCP servers could operate on your network.

As far as I can tell, each shared-network-name is basically a distinct DHCP server (whether running in the same or different processes I can’t tell) “listening” on a distinct interface. As such, any option valid in global-parameters should also be valid in shared-network-parameters. But what isn’t clear to me from the the dhcpd.conf documentation is whether these options are also valid in subnet-parameters. In fact, I can’t even find a comprehensive, option-by-option documentation that explains where each option is valid in the file. So I guess I’ll just have to experiment, unless someone here can offer some guidance.

Ignore all of that. Ugh. I completely misunderstood one document and found another document that I interpreted a different way. When I tested this by combining two of my VLAN shared networks into one shared network with two subnets, no devices on those subnets could get IP addresses. Go figure. But that also means my second question is moot, since I no longer need the raw parameters to go in a subnet, and can put them just in the single shared network in which I need them.