This post assumes you know about the University’s central DHCP provision and have some interest in its migration to a new management platform.
Towards the end of 2019 the DNS management platform for University of Oxford migrated to a custom-built IPAM platform called Hydra. It was originally planned for the DHCP platform to be merged into the Hydra system within a year, but a few world events got in the way and things were delayed a little. However, we are now at the stage where some departments have already made the switchover to this new system with mercifully little drama. The process is reasonably straightforward and we are now taking the steps to wind down our old platform and give it the send off it deserves.
There is a dedicated help and support channel for pre- and post-migration – the Hydra DHCP Migration channel within the MS Teams ITSS Community team. This will be open until the end of September.
Short overview of what’s happening if you’re in a rush
DHCP management platform is migrating from the old platform to a new one: Hydra, from 7-12 September 2023. Subnets which are configured to use the central DHCP service but haven’t used it recently (past three months) will not be migrated. All other subnets will be migrated and you may need to take action:
- Sanitise input data
- Update helper addresses
- Update firewalls and ACLs e.g. DHCP snooping
Why migrate?
This is a reasonable question with hopefully a reasonable answer. The current system is old, and its eccentricities have fossilised over the many years that it has provided good enough service. Hydra DHCP is promising to be a more resilient platform, and more importantly it is flexible enough to provide you, assuming you the reader have sufficient permissions, self-service facilities which until now have not been available:
- Changing DHCP pool size
- Modifying DHCP options
- Modifying an existing DHCP reservation rather than deleting, waiting 5 minutes, then creating.
- Modifying DNS records and DHCP reservations in a single page.
- Bulk modification of reservations
What is migrating?
Any subnet that is currently using the DHCP servers located at 163.1.2.2 and 129.67.1.2 will require migration to a new pair of IP helpers (129.67.1.11, 163.1.2.11). Not sure if your subnet will be migrated? You can check on the list of subnets on the Network Support and Development Team wiki.
What isn’t migrating?
On the old system is a lot of flotsam and jetsam: subnets that are no longer in use, or subnets that no longer use the central DHCP servers. We have made a judgement call that if there have been no leases given within a 3 month period, then they are to not to be migrated to the new system. The subnets are listed in our Wiki.
If you believe these subnets should be migrated, for example they are rarely rather than never used, then please get in contact with us as soon as possible.
When will the migration happen?
We will be making the current system read-only on Thursday 7 September 2023 at 10am. This will give us enough time to migrate the ~80 subnets before Tuesday 12 September, 10am, after which time we will have updated the DHCP helpers to point to the new system.
You are more than welcome to migrate prior to this date. Migrating before this will give you a much smaller change freeze as we port the data from the old platform to the new. Please get in touch if you would like to migrate earlier.
Do I need to do anything before of after the migration?
Maybe. How much action you need to take depends on your networking setup and your current reservation dataset. There are potentially three main actions to help ensure a smooth upgrade:
Data sanitisation
Hydra DHCP and the current system need a DHCP daemon to actually serve the clients with the data stored in their respective databases. We have taken the opportunity to switch the DHCP daemon from ISC DHCP to ISC Kea. What this particular change means for you is hopefully not very much, but the former accepts data that the latter rejects. Further, Hydra DHCP further constrains input data by rejecting reservations for an IP address with no corresponding DNS record.
To that end, there are reservation lists that are valid under the current system that will not be valid input for Hydra DHCP. We have made available a list of these subnets. For all migrating subnets, we have made available to you the raw data that will be input into Hydra. Its format is not that important, but what is important is if there is something that needs attention. These will be at the bottom of the file and hopefully easy enough to understand.
DHCP helper migration
This is documented in the migration process wiki page, but in short if you host the SVI (gateway) of your subnet, you will need to update the DHCP helper addresses. This should be done shortly after 12 September.
Firewall updates
There is a chance that we in Network Support and Development host the SVI of your subnet, but you in your college and department run ACLs such as DHCP snooping. If this is you, you will need to permit the new IP service addresses for DHCP: 129.67.1.11, 163.1.2.11. During the migration window change freeze, please have all four addresses in place to aid the switchover.
How do you migrate?
The process is documented on the Networks Support and Development wiki. The steps were written when we were doing subnet-by-subnet migrations rather than the bulk migration mentioned above. This can still be you! Please do contact us if you want to migrate in advance of the old system switch-off, with all the benefits that entails.
As mentioned above, we have a list of subnets which will not migrate smoothly without human intervention. If you want the human to be someone in Netdev, we will resolve using the following algorithm:
- Reservations without a corresponding DNS record will not be ported
- Multiple reservations occupying the same IP address will be pruned, with the most recent reservation chosen
- Similarly for multiple identical MAC reservations pointing at multiple IPs within the same subnet
I cannot stress enough that this may knock clients off your network! I would strongly recommend you eyeball the data we have on your subnets before the migration and make the necessary changes.
Post migration
After the migration process completes on 12 September, DHCP updates are made on the Hydra IPAM that you’ll have been using for DNS management these past few years.
There is help on using Hydra DHCP in the Hydra IPAM help section and a simple walk-through guide on the Networks wiki.
Summary of actions
Subnet’s router is on the FroDo
- look for and correct any errors in your subnet’s configuration data before 7 September: MS Teams > ITSS Community > Hydra DHCP Migration > Files > migration-output > $date > errors > $subnet.errors.txt
- if you have any firewall ACLs or switch config (e.g. DHCP snooping) that references 129.67.1.2 and 163.1.2.2, add 129.67.1.11 and 163.1.2.11
Subnet’s router is self-hosted
- look for and correct any errors in your subnet’s configuration data before 7 September: MS Teams > ITSS Community > Hydra DHCP Migration > Files > migration-output > $date > errors > $subnet.errors.txt
- if you have any firewall ACLs or switch config (e.g. DHCP snooping) that references 129.67.1.2 and 163.1.2.2, add 129.67.1.11 and 163.1.2.11
- change your router’s DHCP relay addresses (sometimes called IP helpers) from 129.67.1.2 and 163.1.2.2 to 129.67.1.11 and 163.1.2.11 at some point between the end of data migration on 12 September and the retirement of the legacy platform on 26 September