cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: DHCP instance/vm issue
Date Tue, 09 Jul 2019 16:47:03 GMT
Jesse,

You can experiment with firewall rules/SG, but in general you should not
have more than 1 DHCP server in a single network. I assume your VMs would
be assigned one part of the net/subnet, while your external DHCP server
should be serving your non-ACS infra - i.e. if your acs network for VMs is
192.168.1.1-128, while 192.168.1.129-254(non-ACS infra) should be served by
your external DHCP, then I would think of blocking dhcp ports (dhcp
discover) from whole 192.168.1.1-128 network on your external DHCP server -
i.e. this way your external DHCP SERVER would be "deaf" to all dhcp
discover messages sent from ACS VMs to itself and thus would not issue
leases to ACS VMs.

Hope that makes sense.

Best
Andrija

On Tue, Jul 9, 2019, 21:16 <jesse.waters@gmail.com> wrote:

> My vm was assigned an ip from our endpoint DHCP server, not from VR. Do I
> need to add firewall rule(s) to force DHCP request to VR? I probably missed
> a part of setup w/KVM hosts and or within management when I defined the
> zone/pod/...
>
> This seems to be correct, VR is running on a different host then the vm.
>
> Chain i-2-11-VM-eg (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 RETURN     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
> Chain i-2-11-def (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state RELATED,ESTABLISHED
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
> udp spt:68 dpt:67
>     0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-out vnet0
> --physdev-is-bridged
> udp spt:67 dpt:68
>     0     0 DROP       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
> ! match-set i-2-11-VM src
>     0     0 RETURN     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
> match-set i-2-11-VM src udp dpt:53
>     0     0 RETURN     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
> match-set i-2-11-VM src tcp dpt:53
>     0     0 i-2-11-VM-eg  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-in vnet0 --physdev-is-bridged
> match-set i-2-11-VM src
>    15  1963 i-2-11-VM  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            PHYSDEV match --physdev-out vnet0
> --physdev-is-bridged
>
>
>
> Thanks for quick response Andrija!
>
> -  Jesse
>
>
>
>
> On Tue, Jul 9, 2019 at 10:39 AM Andrija Panic <andrija.panic@gmail.com>
> wrote:
>
> > ACS will only offer DHCP leases to its VMs, via DHCP reservation.. If you
> > have another DHCP server in your area, than it might be quicker to offer
> a
> > lease to a VM. You have to either remove your non-ACS DHCP server
> > completely, OR make sure it uses reservation for non-ACS servers/hosts
> i.e.
> > NOT let it issue leases freely to anyone who asks for it. Pure DHCP
> > "problem" - i.e. nothing to do with ACS specifically.
> >
> > Best,
> > Andrija
> >
> > On Tue, Jul 9, 2019, 20:27 <jesse.waters@gmail.com> wrote:
> >
> > > Have a DHCP issue where vm pulls from ACS proxy properly sometimes and
> > > other when it pulls from our normal dhcp server for end-points.
> > >
> > > Network layout is flat, and I ACS is using basic network with security
> > > groups. IP range for acs is  within range of our normal network so vms
> > and
> > > endpoints will flow without additional hardware. How do I ensure dhcp
> > > requests are served by router vm and not our normal dhcp server?
> > >
> > > TIA,
> > >   Jesse
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message