Configuration of DHCP server option 60

Http://blog.chinaunix.net/space.php? Uid = 683300 & Do = Blog & cuid = 2105070

 

RecentlyCommunityBroadband network environment, based on Microsoft
Mediaroom, and uses the Motorola box, p hd movie project, and the set-top box uses DHCP option 60
Prevent non-set-top box clients from obtaining valid IP addresses and implement a series of configurations. There are not too many materials found on the Internet, so I will post the configuration.

Network and system environment

(1) Internet Systems Consortium DHCP server v3.0.5
(2) centos 5.0
(3) cisco 6509
(4) Microsoft mediaroom
(5) Motorola vip1208ap

Key Points

(1) Time Synchronization
When the same NTP server is used and the synchronization time is used, an exception occurs when the client obtains the IP address.

(2) DHCP relay

Ip dhcp smart-Relay (seconary IP can also be used as bootgateway)
Ip dhcp relay information Option (DHCP server forwards option 60 Information)
Ip dhcp relay information policy drop
Ip dhcp relay information trust-all

IP helper-address.

(3) DHCPD. conf

Select client validity Authentication

Class "IPTV-clients "{
Match if option vendor-class-identifier = "msft_xxxxxx" or option vendor-class-identifier = "MSFT xxxxxx ";
}

The set-top box sends out two Vendor-class-identifier in different stages, so the or is added, which is not supported in earlier versions.

Of course, using match if substring can also solve the problem, but I prefer match if option

subnet 10.201.16.0 netmask 255.255.255.0 {
Option routers 10.201.16.1;
Option subnet-mask 255.255.255.0;
Option domain-name-servers 192.168.0.1
Option time-offset-18000; # Eastern Standard Time
pool {
allow members of "IPTV-clients"; ---- Note: IP addresses are allocated only after authentication.
range 10.201.16.10 10.201.16.254;
}< br> default-lease-time 43200;
MAX-lease-time 43200;

Real
After implementation, only users with the vendor-class-identifier can obtain the IP address. Other normal users cannot obtain the valid IP address, but there is still a problem:
Some illegal DHCP servers in broadcast domains may cause the device to obtain illegal DHCP in advance.
Server's set-top box, although VLAN isolation has been performed, the network size is too large, it is difficult to avoid

I still have a question: Since DHCP-server can allocate IP addresses based on option 60, why does the client have to receive the option60 valid DHCP server address when it cannot issue DHCP option 60?

(4) There are different applications in each place for reference only... if you have any friends with the same problem, please mail huangyonghe at gmail.com