Two DHCPs on same subnet

hiddenknight821 · May 2010

I had to work on this stupid final networking project for my class that the teacher knows nothing about. I got stumped on one problem. I was not sure if this is possible to have two DHCPs running on the same subnet using different pools. I know my problem may not be right for this forum, but I need a prompt answer.

DHCP A is an DHCP server running on Windows server, allocating IP addresses from 192.168.0.10 - 192.168.0.20. The server is connected to the switch in the default VLAN.

DHCP B is actually a Cisco Aironet running DHCP server, allocating IP addresses from 192.168.0.100 - 150. The AP is connected the switch in the default VLAN as well. Also, the AP's BVI/ethernet interface gets its IP from the pool in DHCP A.

The problem is when I connected laptop to the wireless, I always get the IP address from the scope on DHCP A server instead of DHCP B. I wish the AP has some sort of NAT server to block or divide the traffic going through the interface. I tried everything. I found a workaround solution, disconnecting the AP from the switch first, then reconnect the laptop to the AP, and it finally gets it IP from the DHCP B, then I reconnected the AP to the switch, it works. I configured the DHCP B pool to lease the address infinitely. That was my only workaround solution. Do anyone knows how to solve this in a truly genuine way?

chmorin · May 2010

I'm not sure why you would WANT to do this... but it will work. Double DHCP servers are generally a very BAD thing, as it can cause confusion in your scope.

Anyway, your host will always grab the IP Address that the first DHCP server gives to it. Think of it as a race.

Host -> I Need an IP Address! (DHCP Request Broadcast)
DHCP 1 -> Want this one? (DHCP OFFER)
DHCP 2 -> How About this one? (DHCP OFFER)

If the host gets the offer from dhcp 1, it will take that address. If it gets it from dhcp 2, it will take that address. Who ever offers first, wins.

That is DHCP for yah.

dynamik · May 2010

chmorin wrote: »

I'm not sure why you would WANT to do this... but it will work. Double DHCP servers are generally a very BAD thing, as it can cause confusion in your scope.

Hm? Multiple DHCP are generally preferred for redundancy. You shouldn't have any problems as long as your scopes don't overlap. If you need to assign specific addresses, you can use DHCP reservations.

It sounds like the OP wants to put his wireless clients within a certain range. IRL, you'd probably want them on their own VLAN. I'm not very familiar with Aironet configurations. Can you configure ACLs on those interfaces?

notgoing2fail · May 2010

DHCP snooping was created to prevent stuff like this right?

chmorin · May 2010

dynamik wrote: »

Hm? Multiple DHCP are generally preferred for redundancy. You shouldn't have any problems as long as your scopes don't overlap. If you need to assign specific addresses, you can use DHCP reservations.

It sounds like the OP wants to put his wireless clients within a certain range. IRL, you'd probably want them on their own VLAN. I'm not very familiar with Aironet configurations. Can you configure ACLs on those interfaces?

Redundancy is important, but giving different ranges to the same users is useless.

You are spot on concerning VLAN's though. That is a big use for VLAN's, so that you can better organize your network as such.

dynamik · May 2010

chmorin wrote: »

Redundancy is important, but giving different ranges to the same users is useless.

Not if they're on the same subnet, which is how you'd configure them.

Say your internal network is a common class C, such as 192.168.0.0/24. You can configure a pool of 192.168.0.21-192.168.0.120 on one server, and 192.168.0.121-192.168.0.220 on the other (the actual ranges are obviously subjective). Each pool would provide the same DNS servers, gateway, and any other necessary options. Regardless of which server responds faster, the client will be correctly configured. The second response will simply be ignored. Also, new/renewing clients will still be able to obtain DHCP configuration if one of the servers goes down.

This is a recommended configuration from Microsoft and numerous other vendors: DHCP Best Practices: Dynamic Host Configuration Protocol (DHCP)

I split them 50/50 myself, as I'm concerned the server with 20% may have it's pool exhausted.

Cyanic · May 2010

Ya, I have wondered about the 80/20 rule. IMO the 80/20 only makes sense when you have the DHCP servers far apart, 80 of the scope local and the other 20 remote.

chmorin · May 2010

dynamik wrote: »

Not if they're on the same subnet, which is how you'd configure them.

Say your internal network is a common class C, such as 192.168.0.0/24. You can configure a pool of 192.168.0.21-192.168.0.120 on one server, and 192.168.0.121-192.168.0.220 on the other (the actual ranges are obviously subjective). Each pool would provide the same DNS servers, gateway, and any other necessary options. Regardless of which server responds faster, the client will be correctly configured. The second response will simply be ignored. Also, new/renewing clients will still be able to obtain DHCP configuration if one of the servers goes down.

This is a recommended configuration from Microsoft and numerous other vendors: DHCP Best Practices: Dynamic Host Configuration Protocol (DHCP)

I split them 50/50 myself, as I'm concerned the server with 20% may have it's pool exhausted.

My ignorance is showing again. I knew redundancy was important, just not how to set it up in DHCP. DOE!

In any case, the answer to his question is: Yes it is possible. And the results you were giving as a 'problem' is actually the way it is supposed to function in that environment. If he wants users from one interface to receive IP's from a different subnet, VLAN's would need to be created.

dynamik · May 2010

Cyanic wrote: »

Ya, I have wondered about the 80/20 rule. IMO the 80/20 only makes sense when you have the DHCP servers far apart, 80 of the scope local and the other 20 remote.

Agreed. I'm pretty sure that's their logic, but they really don't make it clear. You can also only configure the relay agent as-needed, to further ensure that the remote pool is only used when it's actually needed.

chmorin wrote: »

My ignorance is showing again. I knew redundancy was important, just not how to set it up in DHCP. DOE!

Heh, don't be so hard on yourself. I didn't learn about that until my third Microsoft exam. Nothing you have done so far would have covered it. I like the participation. Even if there turns out to be a better answer, you still learn something, and that's why we're here.

hiddenknight821 · May 2010

Thank you guys, but what I'm really trying to ask is how can I make my laptop gets its IP address from the AP's scope (DHCP

first rather than the DHCP A. Every time I try to connect, it always gets its address from the server (DHCP A). I tried the extended ACL but it would block some traffics that I need to let through. Is there a configuration command I can use on Cisco Aironet 1200 that will always force any wireless laptops to lease the address from the AP's DHCP first?

dynamik · May 2010

If you can configure extended ACLs, why can't you block DHCP traffic from DHCP A from going out the radio interface?

hiddenknight821 · May 2010

dynamik wrote: »

If you can configure extended ACLs, why can't you block DHCP traffic from DHCP A from going out the radio interface?

That might just work. I must have configured it incorrectly. Anyone here care to help me with the command line?

The DHCP server's IP address is: 192.168.0.5/24

Correct me if I am wrong, but I have not tried this command, and would have to wait until tomorrow during lab hours to see if it works.

ip access-list extended DENY_DHCP
deny udp 192.168.0.5 0.0.0.255 any eq 68

astorrs · May 2010

Cyanic wrote: »

Ya, I have wondered about the 80/20 rule. IMO the 80/20 only makes sense when you have the DHCP servers far apart, 80 of the scope local and the other 20 remote.

No the reason is if the 80% server goes down, the 20% server can still issue new leases during the time it takes you to get the server back up and running (because of the lease time - which is usually somewhere between 8 and 30 days depending on client turnover at the site).

I know very few large companies who continue to do remote DHCP, most have, or are in the process of, centralizing it to their large datacenters, where a small number of devices/servers handle all the clients being served from that facility.

Forsaken_GA · May 2010

hiddenknight821 wrote: »

Thank you guys, but what I'm really trying to ask is how can I make my laptop gets its IP address from the AP's scope (DHCP first rather than the DHCP A. Every time I try to connect, it always gets its address from the server (DHCP A). I tried the extended ACL but it would block some traffics that I need to let through. Is there a configuration command I can use on Cisco Aironet 1200 that will always force any wireless laptops to lease the address from the AP's DHCP first?

Well, it depends.

The way it works is that the client will accept the first DHCPOFFER that it receives, so whichever service responds first is the one that the client is going to get it's IP from. It's just the nature of a broadcast medium. The only way you can really influence it is through traffic engineering or configuration. Depending on what you're using for a server on DHCP A, you might be able to configure it to ignore the MAC of your laptop, so that while DHCP A might be the first to see the broadcast frame, if it doesn't respond to it, DHCP B will be the one to make the offer

astorrs · May 2010

astorrs wrote: »

No the reason is if the 80% server goes down, the 20% server can still issue new leases during the time it takes you to get the server back up and running (because of the lease time - which is usually somewhere between 8 and 30 days depending on client turnover at the site).

I know very few large companies who continue to do remote DHCP, most have, or are in the process of, centralizing it to their large datacenters, where a small number of devices/servers handle all the clients being served from that facility.

dynamik reminded me I need to clarify the above point. The 80/20 rule today where all scopes are is in one facility only applies to new DHCP servers/appliances (like Windows 2008 R2) where a delay can be set for the second server. Otherwise it's more of a legacy thing as others have mentioned for supporting branch offices.

Figure 1: Delay option in Windows Server 2008 R2

Previous to a delay option being available, when centralizing DHCP I always put up either 50/50 split, an MSCS cluster (using an existing physical cluster with spare cycles), or a virtual machine where "they didn't care if it went down for a little while".

Sorry for any confusion.

Two DHCPs on same subnet

Comments