Example DHCP Implementation


This DHCP example implementation depicts how a fictional company uses the Windows Server 2003-based DHCP servers to streamline and automate administration and assignment of IP addresses and other client configuration information. Though your network configuration might differ from this example, you can apply the basic concepts.

The company has two offices, a main administrative office, and branch offices 25 miles away. The company employs 600 people, many of whom travel frequently between the two offices with portable computers.

The main office is housed on two floors, with 75 desktop computer users per floor. Because many of these employees also have portable computers, conference rooms are configured with wireless networking. Wireless networking also provides ease of network connectivity to employees from the branch offices who are attending meetings at the main office.

Connectivity and Routing

A digital subscriber line (DSL) account at a rate of 1.1 megabits per second (Mbps) is established for each of the two company sites, providing a dedicated connection to the Internet through a DSL modem. Additional network adapters are installed on the server computers at both sites, one network adapter per subnet.

The DSL-connected server in the main office has two additional network adapters, one for Subnet A and one for Subnet B. On Subnet A, network cable runs from the network adapter to a hub. On wireless Subnet B, media network cable runs from the network adapter to a hub, then to wireless access points stationed in conference rooms.

The DSL-connected server computer in the branch office has four additional network adapters, one each for subnets C through F. On wireless subnet C, network cable runs from the network adapter to a hub, then to wireless access points stationed in conference rooms. On subnets D, E, and F, network cable runs from the network adapters to hubs that extend to each individual subnet.

To provide secure, private, encrypted communication between the two sites over DSL, both DSL-connected servers are also configured as virtual private network (VPN) servers.

To allow messages from both DHCP servers and DHCP clients to cross from site to site and between subnets at each site, the Routing and Remote Access service on the DSL-connected servers have the DHCP relay agent routing protocol installed and configured.

For more information about connecting remote sites, see "Connecting Remote Sites" in this book.

Transmission Security Between Sites

Because the company wants the highest level of security available for the VPN connection that allows the two sites to communicate using their 1.1 Mbps DSL connections over the Internet, they install a Windows Server 2003 certification authority (CA) and establish a Layer Two Tunneling Protocol (L2TP) connection, relying on Internet Protocol security (IPSec) for encryption services. The combination of L2TP and IPSec is known as L2TP/IPSec. With certificate-based authentication and an L2TP/IPSec connection, the company is using the strongest form of authentication in Windows Server 2003. For more information about using a certification authority, see "Designing an Authentication Strategy" in the Designing and Deploying Directory and Security Services book of this kit. For more information about using IPSec, see "Deploying IPSec" in this book.

Active Directory Domain Structure

The company uses Active Directory to list IP addresses of DHCP servers authorized for operation on the network. If an unauthorized DHCP server running Windows 2000 or Windows Server 2003 is started on the network, it determines its authorization status from the directory service. If the server determines that it is not authorized, it stops functioning in the domain as a DHCP server, and cannot be used to provide IP address leases to clients. There are two sites to define in Active Directory, one at the main administrative site and one at the branch office site. Creating two sites optimizes the exchange of directory information and facilitates administration by centralizing resources such as configuration information.

Subnets and IP Addressing

Although the company employs approximately 600 people, most employees use both a desktop computer and a portable computer. Because the portable computers function primarily via wireless connections to the network, one subnet at each of the two company sites is configured as a wireless subnet.

In all, there are six subnets on the company network, with 600 desktop clients and approximately 425 portable clients divided among the subnets as shown in Table 2.1. All subnets on the network are configured with the subnet mask 255.255.255.0. All six subnets are serviced by DHCP, with one DHCP server located at each site.

Table 2.1: Address Range and Clients per Subnet

Subnet

Address Range

Approximate Number of Clients

A

192.168.0.1/24 to 192.168.0.254/24

150

B

192.168.1.1/24 to 192.168.1.254/24

Up to 225

C

192.168.2.1/24 to 192.168.2.254/24

Up to 225

D

192.168.3.1/24 to 192.168.3.254/24

150

E

192.168.4.1/24 to 192.168.4.254/24

150

F

192.168.5.1/24 to 192.168.5.254/24

150

The main office houses 150 employees dispersed over two floors of the building. All users also have portable computers that they frequently take to meetings in conference rooms. All of conference rooms are configured for wireless networking.

The company has divided the main office into two Class C subnets:

  • Subnet A — Floors 1 and 2

  • Subnet B — Wireless subnet with wireless access points installed in conference rooms

The branch office houses 450 employees, dispersed throughout a three-story building. Over 200 users also have portable computers that they frequently take to meetings in conference rooms, all of which are configured for wireless networking.

The company has divided the branch office into four Class C subnets:

  • Subnet C — Wireless subnet for conference rooms

  • Subnet D — Floor 3

  • Subnet E — Floor 2

  • Subnet F — Floor 1

Before creating and activating scopes on the DHCP server, the company plans IP address ranges, exclusion ranges, and reservations (where applicable) for each subnet. The company uses Class C IP address ranges on every subnet, as each Class C address range provides 254 IP addresses when the subnet mask is defined as 255.255.255.0.

Because the client count per non-wireless subnet is 150 or fewer clients, 254 IP addresses per subnet allow the company to provide static address assignments for any servers that require them, and dynamic assignments to all clients on the network — with plenty of IP addresses remaining to provide for future network expansion.

The wireless subnets are configured with a lease duration of 15 minutes. Because of the short lease time, 254 IP addresses per subnet is a sufficient amount for the wireless subnets, even though these subnets experience substantial traffic, with portable computers joining and leaving the subnet at high volume during a typical day. These short leases expire soon after the portable computer is disconnected from the network, and the IP address used by that computer becomes available for lease to other DHCP clients as they connect to the wireless subnet.

Exclusion Ranges

Some network devices need to use statically assigned IP addresses rather than addresses dynamically assigned through DHCP. For example, DHCP servers must have statically configured IP addresses. Also, some devices (such as legacy network printers) do not support DHCP.

For the devices that need static IP assignments, the company creates an exclusion range from each IP address range. Creating one or more exclusion ranges prevents the DHCP server from assigning a client lease with any address in the exclusion range, thereby protecting it for use as a static IP address and preventing address conflicts between statically configured devices and dynamically configured devices.

Although any addresses in the address range can be excluded, the company chooses to exclude the first 20 addresses from each address range for non-wireless subnets, and the first five IP addresses from each address range for wireless subnets. The company uses additional exclusion ranges to configure load balancing and fault tolerance using the 80/20 rule. For more information about DHCP scopes, see "Scope Configuration" later in this chapter.

Address Pools

After the address range and exclusion ranges are defined, the remaining addresses form the available address pool within the scope. These addresses are eligible for dynamic assignment by the server to DHCP clients on the network. Table 2.2 shows the address pool for each subnet prior to adding the exclusion ranges used to apply the 80/20 rule.

Table 2.2: DHCP Address Pools per Subnet

Subnet

Address Pool

A

192.168.0.21/24 to 192.168.0.254/24

B (wireless)

192.168.1.6/24 to 192.168.1.254/24

C (wireless)

192.168.2.6/24 to 192.68.2.254/24

D

192.168.3.21/24 to 192.168.3.254/24

E

192.168.4.21/24 to 192.168.4.254/24

F

192.168.5.21/24 to 192.168.5.254/24

For more information about DHCP scopes and the 80/20 rule, see "Scope Configuration" later in this chapter.

Reservations

The company uses IP address reservations for file and print servers on their network. Reservations are used to create a permanent IP address lease assignment by the DHCP server. Reservations ensure that a specified hardware device on the subnet can always use the same IP address.

When using the 80/20 rule and splitting a scope's IP address pool between two servers for load balancing and fault tolerance, identical reservations must be made at both DHCP servers. When reservations are made at both servers, neither server assigns the reserved IP address to another client, assuring that the intended device receives the address reserved for its use.

Table 2.3 shows two example address reservations. For more information about the 80/20 rule and for an example of how these reservations are created in specific scopes at each DHCP server, see "Scope Configuration" later in this chapter.

Table 2.3: Example Address Reservations

Device

Subnet

Reserved IPAddress

Application server

A

192.168.0.21/24

File server

D

192.168.3.68/24

Note

Reservations can be created using any IP address in the scope's address range, even if the IP address is also within an exclusion range. Because of this design, when the 80/20 rule is implemented and some addresses in the scope are excluded (80 percent at one server, 20 percent at the other), reservations still function properly.

Message Routing

The company uses DHCP relay agents to relay DHCP messages between subnets and sites. To support and use DHCP across multiple subnets, routers connecting each subnet should comply with DHCP/BOOTP relay agent capabilities described in RFC 1542. To cut the cost of expensive network hardware such as routers, the company uses the Windows Server 2003 Routing and Remote Access service including, DHCP relay agents, to forward DHCP/BOOTP messages between subnets. Because the VPN servers act as routers for network traffic, the DHCP relay agents are configured on the VPN servers.

For more information about installing and configuring DHCP relay agents, see "Configure the DHCP Relay Agent" in Help and Support Center for Windows Server 2003.

Installing DHCP and Authorizing Servers in Active Directory

The company completes the following steps at both sites:

  1. Configures the servers.

  2. Installs the DHCP Server service.

  3. Opens the DHCP snap-in from the MMC.

  4. Authorizes the DHCP server in Active Directory.

  5. Adds DHCP administrators to the DHCP Administrators group or the DHCP Users group, depending on their user rights.

  6. Creates, configures, and activates one scope for each subnet.

After creating scopes at the DHCP servers, the company defines a site in Active Directory for the branch office. Each of the six subnets is then associated with the appropriate site. When configuring your network, however, you can configure all sites in Active Directory before creating DHCP scopes.

Scope Configuration

By using the 80/20 split-scope configuration for fault tolerance and availability, scopes for all six subnets on the company network are defined on both DHCP servers. Exclusion ranges are used to allocate available addresses per scope, per server, as follows:

  • The main office DHCP server is configured with 80 percent of the IP addresses available for lease to clients in each scope serving subnets A and B and 20 percent of the IP addresses available for lease to clients located at the branch office (subnets C through F).

  • The branch office DHCP server has 80 percent of all addresses in all scopes available for lease to clients in the branch office (subnets C through F) and 20 percent of all addresses in all scopes available for lease to clients located in the main office (subnets A and B).

Thus, if either server suffers a hard-disk failure or other failure, the alternate server is available to assign and renew leases on all subnets.

To achieve the 80/20 rule, each Class C IP address range of 254 IP addresses available in each non-wireless scope is divided in the following manner:

  • 20 IP addresses for static assignments.

  • 187 IP addresses, or 80 percent of the addresses for lease, in the address pool of the DHCP server at the same site.

  • 47 IP addresses, or 20 percent of the addresses for lease, in the address pool of the DHCP server at the other site.

The wireless scopes are divided in the following manner:

  • 5 IP addresses for static assignments.

  • 203 IP addresses, or 80 percent of the addresses for lease, in the address pool of the DHCP server at the same site.

  • 51 IP addresses, or 20 percent of the addresses for lease, in the address pool of the DHCP server at the other site.

Table 2.4 shows the address pools and exclusion ranges configured on the main office DHCP server.

Table 2.4: Scope Configurations on the DHCP Server at the Main Office

Scope Name

Address Range

Exclusion Ranges

Address Pool

A

192.168.0.1 to 192.168.0.254

192.168.0.1 to 192.168.0.20, 192.168.0.21 to 192.168.0.67

192.168.0.68 to 192.168.0.254

B (wireless)

192.168. 1.1 to 192.168.1.254

192.168.1.1 to 192.168.1.5, 192.168.1.204 to 192.168.1.254

192.168.1.6 to 192.168.1.203

C (wireless)

192.168.2.1 to 192.168.2.254

192.168.2.1 to 192.168.2.203

192.168.2.204 to 192.168.2.254

D

192.168.3.1 to 192.168.3.254

192.168.3.1 to 192.168.3.20, 192.168.3.68 to 192.168.3.254

192.168.3.21 to 192.168.3.67

E

192.168.4.1 to 192.168.4.254

192.168.4.1 to 192.168.4.20, 192.168.4.68 to 192.168.4.254

192.168.4.21 to 192.168.4.67

F

192.168.5.1 to 192.168.5.254

192.168.5.1 to 192.168.5.20, 192.168.5.68 to 192.168.5.254

192.168.5.21 to 192.168.5.67

Table 2.5 shows the address pools and exclusion ranges configured on the branch office DHCP server.

Table 2.5: Scope Configurations on the DHCP Server at the Branch Office

Scope Name

Address Range

Exclusion Ranges

Address Pool

A

192.168.0.1 to 192.168.0.254

192.168.0.1 to 192.168.0.20, 192.168.0.68 to 192.168.0.254

192.168.0.21 to 192.168.0.67

B (wireless)

192.168.1.1 to 192.168.1.254

192.168.1.1 to 192.168.1.203

192.168.1.204 to 192.168.1.254

C (wireless)

192.168.2.1 to 192.168.2.254

192.168.2.1 to 192.168.2.5, 192.168.2.204 to 192.168.2.254

192.168.2.6 to 192.168.2.203

D

192.168.3.1 to 192.168.3.254

192.168.3.1 to 192.168.3.20, 192.168.3.21 to 192.168.3.67

192.168.3.68 to 192.168.3.254

E

192.168.4.1 to 192.168.4.254

192.168.4.1 to 192.168.4.20, 192.168.4.21 to 192.168.4.67

192.168.4.68 to 192.168.4.254

F

192.168.5.1 to 192.168.5.254

192.168.5.1 to 192.168.5.20, 192.168.5.21 to 192.168.5.67

192.168.5.68 to 192.168.5.254

Lease Duration

Subnet B in the main office and Subnet C in the branch office are both wireless subnets. Because wireless clients (portable computers and other portable devices) are connected to and disconnected from the network in large numbers and for short intervals throughout the average day, lease duration on these two subnets is set for 15 minutes. These short lease times help to ensure that the maximum number of IP addresses are available in the scope as clients connect to the network.

Lease time for all other (nonwireless) subnets is eight days.

Scope Options

Each scope is configured with option 249, classless static routes. Using classless static routes, each DHCP client can be easily configured with the route to any destination on the network, and the subnet mask can be specified. Because each scope represents a physical subnet, the scope can be viewed as the start location for any message that is to be sent by a client to another subnet. The parameters used to configure option 249 are Destination, Mask, and Router. One or more static routes can be configured with option 249; the company provides all DHCP enabled clients on the network with routes to all other subnets using option 249.

This option is not configured as a server option because it maps routes between subnets, so no one set of values for the required parameters of Destination, Mask, and Router is always correct. For example, subnets A and D each use a router (that is, a VPN server configured with the Routing and Remote Access service and DHCP Relay Agent service enabled) to communicate with each other. Of course, the routers they use are different, and the destination is different in each case.

Server Options

The DHCP standard options shown in Table 2.6 are configured as server options at the main office DHCP server.

Table 2.6: Example DHCP Options

Option Number

Description

Value

006

DNS servers

192.168.0.3, 192.168.3.3

044

WINS/NBNS servers

192.168.0.4, 192.168.3.4

132

Enable NBT hostname resolution

Byte: 0x1 (1=on)

133

Enable gethostbyname() WINS resolution

Byte: 0x1 (1=on)

Other Settings

Scopes on both DHCP servers are configured with the same reservations, lease durations, scope options, and server options.




Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 146

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net