Four major defects of DHCP server

We all know that DHCP servers are used in many enterprise network la S. DHCP (Dynamic Host Allocation Protocol) servers are widely used in enterprise networks. It can be seen that the advantages of DHCP servers are obvious. If you manually manage IP addresses in an enterprise LAN with one hundred to two hundred computers, it is a very heavy job. If you are not careful, the network address may conflict. Therefore, it is not appropriate to manually allocate IP addresses in a large-scale enterprise network.

Therefore, many enterprise network administrators use DHCP servers to manage enterprise IP addresses. The DHCP server network administrator can only configure some public parameters on the DHCP server, such as the DNS address, without repeatedly setting these parameters for each computer. When these parameters change, you do not need to change one server. You only need to change the IP address on the DHCP server. the DHCP server can ensure that the IP address in the enterprise LAN is unique and will not rent the same IP address to the two hosts at the same time. DHCP server functions are indeed very powerful, but they are not omnipotent. DHCP servers also have many defects. Our network administrator needs to understand these defects when designing the DHCP server environment and avoid them as much as possible during the design process.

Next, I will talk about the running defects of the DHCP server that I understand. You are welcome to make compensation and discuss this issue.

Defect 1: the DHCP server cannot communicate with clients across routes unless the vro allows BOOTP forwarding.

For the sake of security, some enterprises may divide their networks physically into several independent network segments to control their mutual access. If there is a chemical company, their R & D department is a relatively confidential department. Hosts in other departments cannot access their networks. Their networks can access networks of other departments. This is technically simple. The network of the R & D department and other departments of the company can be divided into two independent networks through the IP address breaking feature. Then they can be connected through a vro to control their access to each other on the vro.

However, if a DHCP server is used in an enterprise LAN, some problems may occur. Because the DHCP protocol cannot communicate with clients, unless the vro allows BOOTP forwarding. That is to say, if the enterprise divides subnets, if a DHCP server is set in one segment of the company, the other segment cannot obtain the IP address from the DHCP server.

What methods should we use to address this limitation?

The most common method is to use a fixed IP address. That is to say, although the network administrator divides the enterprise network into different network segments, this is purely for security considerations. Therefore, sometimes the number of hosts in a CIDR block is not large. If a R & D department is divided into a subnet, a maximum of 10 computers can be created. For this reason, we do not need to move other brains to directly assign IP addresses to hosts in this subnet. In addition, other hosts are set as DHCP server clients, and IP addresses are obtained from the DHCP server. This is the simplest and most practical solution. You don't have to worry about configuring the DHCP server proxy and activating the BOOTP protocol forwarding function of the router. These are all minor issues.

If the enterprise does not consider security, you need to consider it separately. For example, some enterprises are relatively large and a group enterprise. Each subsidiary is listed below. When designing the network, they set up a DHCP server and then assigned a subnet to each subsidiary. In this case, the number of hosts in a sub-network may be large. In this case, it is not realistic to manually allocate IP addresses. Therefore, we can use the BOOTP protocol forwarding function in the vrobooto allow hosts in other network segments to obtain multiple IP addresses from the DHCP server.

Defect 2: If a non-DHCP Client exists in the network, the DHCP server cannot find it.

If the enterprise's LAN has a DHCP client computer and a network device that is not a DHCP client, the DHCP server does not know the IP addresses used by network devices that are not a DHCP client. If you accidentally assign the IP addresses used by these non-DHCP clients to the DHCP clients, the network IP addresses may conflict.

This situation is especially common in enterprises with many network servers. For example, an enterprise may sometimes add a network printing server to the enterprise and manually configure its IP address as 192.168.0.203. The original IP address pool on the Enterprise DHCP server is 192.168.0. 020 to 192.168.0.200. Later, the address pool was changed to 192.168.0.020 to 192.168.0.220 because of insufficient addresses. The network administrator may have neglected that the IP address 192.168.0.203 has been assigned to a network printer. In this case, the IP address is placed in the address pool of the DHCP server. If the server assigns this IP address to other network devices, the network address may conflict, network Communication failure.

Therefore, when the address is manually assigned and the address is automatically assigned by the DHCP server, this situation is particularly prone. The DHCP server cannot find which IP addresses in its address pool have been used by clients other than the DHCP server.

Therefore, if this hybrid mode is adopted, the author provides the following suggestions.

First, for non-DHCP server clients, it is best to use a fixed IP address within a given range. For example, enterprise-level devices, such as network printers, routers, gateways, and application software servers, usually use fixed IP addresses. These network devices are often not DHCP server clients. In order to separate the IP addresses of these servers from the IP address pool that can be allocated to DHCP servers, it is best for enterprises to distinguish between IP address design and management. For example, you can specify that the first 20 IP addresses are used for these fixed devices. From 2 to 20. The remaining IP addresses are automatically allocated. If you want to add some network devices in the middle, for example, if you want to add a network printer for a department, configure the IP address for it, then directly select from 2 to 20. You cannot use other IP addresses. This effectively avoids conflicts between fixed IP addresses and automatically assigned IP addresses.

Second, reasonably plan the space of the DHCP server address pool. When a DHCP server is created, the network administrator needs to specify on the server which IP addresses can be allocated, which is called the address pool in the DHCP server. In addition, you must specify which addresses cannot be allocated. This is an exception. When creating a DHCP server, you must consider the network size of the enterprise and allocate the IP addresses in the address pool of the DHCP server. In general, it is best to set some exceptional IP addresses as consecutive, which provides some convenience for subsequent management. In addition, there are not many exceptional IP addresses, because there are not many network devices that use fixed IP addresses. Generally, I think the remaining 20 fixed IP addresses are enough.

Third, if the DHCP server has been set up before it finds that the fixed IP address is not enough, the order of IP addresses allocated by the DHCP server is from small to large. Therefore, when setting an exceptional IP address, it is best to start later. Only in this way can the DHCP server address pool be changed, and a few non-DHCP clients can be used from the idle IP addresses. In this case, even if the address pool of the server is adjusted subsequently, the IP addresses used by non-DHCP clients can be continuously used. This is very helpful for our subsequent management.

Defect 3: If Multiple DHCP servers exist in the enterprise network, IP addresses may conflict.

If Multiple DHCP servers exist in the enterprise network, it is impossible for a server to know which IP addresses are rented out by other DHCP servers. Therefore, an IP address may be rented by two DHCP servers at the same time, resulting in a network address conflict.

In general, this situation is often caused by the negligence of the network administrator. For example, some routers or vswitches enable the DHCP server function by default. When a vro is connected to the enterprise network when the latter vswitch fails, if the DHCP service of the vro or vswitch is not closed in time, two DHCP servers may exist in the enterprise network. At this time, because there is no proxy relationship between the two DHCP servers, this may cause them to lease an IP address at the same time.

Therefore, when managing DHCP servers, the network administrator should try to avoid multiple independent DHCP servers. If you want to set up Multiple DHCP servers to improve performance, it is best to separate the IP address pools of each DHCP server when allocating their respective address pools, do not use duplicate IP addresses. In this case, even if Multiple DHCP servers exist at the same time, there will be no IP address conflict.

Defect 4: Some network management policies may become invalid.

The author mentioned in the previous article that using DHCP server to manage enterprise IP addresses may cause dynamic changes of IP addresses. In addition, some network management policies, such as mail filtering policies and network access control policies, are implemented through IP addresses. At this time, if the host's IP address changes frequently, it is difficult to execute network management policies based on the network IP address.

Therefore, there are two ways to deal with this defect.

First, the unlimited lease policy is adopted. In this case, when the IP address is sufficient, the IP address can be fixed. The second is to change the network management policy and execute the policy through the MAC address, instead of using the IP address to control network behavior. However, using a MAC address is a little more difficult to manage. Because the MAC address is not as intuitive as the IP address.

The network administrator must make a wise judgment based on the actual situation of the enterprise.