Many enterprises recognise that DHCP is a critical service. Without it, IP-based networks and applications can grind to a halt. Yet, many organisations still use ad-hoc combinations of software on servers to deliver DHCP and - often unknowingly - they make many common mistakes that can seriously compromise network availability and security.
Some of the most common errors organisations make include the following:
- DHCP lease times to high or too low - The recommended lease times depend upon rate of change on the network – Wireless network, and guest networks have a high percentage of turnover as far as leases go. Devices will pop on and off of networks, sometimes for very short periods of time. Long leases will block others from using those addresses until the lease expires.
- Failing to Monitor IP address utilisation for lease pools - Administrators will create dynamic ranges with enough addresses for now, and some additional for expansion, but will lose track of how quickly individual subnets grow. Technicians can install new IP enabled devices quicker than anticipated and will run out of IP addresses, not allowing new device to enter the network. This adds to the installation time and usually involves a trouble ticket being opened.
- Missing or incorrect options - Remember that everything except the IP address is considered an option by DHCP. Everyone needs a subnet mask, default router, and the like, but if an administrator forgets to configure these options, the DHCP server won’t hand out the information to the client.
- Failure to identify DHCP servers as authoritative or not - Understanding what “authoritative” means, and the ramifications, are very important in a DHCP server. Neglecting this setting can cause major issues on a network, including: DHCP wars (conflicting DHCP servers prevent clients from getting an address, or they get an incorrect address), missing very important data (Novell, for example, uses INFORM packets which are only answered when you are authoritative), and issues with Microsoft machines that like to hold on to their IP addresses, even when they are no longer valid.
- UDP/BOOTP/DHCP forwarding missing or invalid – Since DHCP is broadcast based, UDP forwarding needs to be enabled on routers to forward the DHCP packets to the DHCP servers. If this is not done, or is not done correctly, you can run in to multiple issues like: clients not getting addresses and broadcast storms.
- Unknowingly creating overlapping ranges – When administrators configure the same IP ranges on multiple servers (and they are not using DHCP Failover), you may end up with duplicate IP addresses on your network. DHCP server do not share information about what IP addresses they have given out, so if the same IP address is available for multiple DHCP servers, they could each give that address to a different client.
- Incorrect usage of shared-networks – Even though it is now common place to have layer-3 switches, and routers that support VLANs, you still come across network designs that use secondary IP addressing. In other words, a single router interface (either real or virtual) that contains IP addresses for multiple networks. In the “good old days”, this was referred to as “one armed routing”, or a “router on a stick.” When using this scenario, you must use a shared-network to encompass all of the networks in to one. If you use a shared-network incorrectly, clients will end up getting IP address for the “wrong” network and will not be able to communicate on the network.
You can hear Cricket Liu speak on deploying DNS and DHCP in the modern network at a special, free, seminar to be held in London on 7 November. Go here for further details.