Top DHCP Best Practices

  1. Use DHCP Failover

The high availability of a DHCP server can be maintained with the help of a technology called DHCP failover. With DHCP failover, two DHCP servers share DHCP information with one another. This ensures that even if one of the servers goes offline, the clients will still have access to DHCP leases.

The Windows server operating system comes pre-installed with a failover option for the DHCP service. The following image demonstrates the installation of two DHCP servers that have been set up with load balance failure mode. In the event that one server goes down, the second server continues to function normally and takes over all DCHP requests.

There are two different possibilities for the failover design:

Hot standby design

One of the servers acts as the active server when the hot standby mode is being used, and the other server acts as a standby. The active server is the principal server that manages all DHCP requests and is always the one that is active. The DHCP queries are handled by the standby server in the event that the current server becomes inaccessible.

This choice is typically selected when the active and standby units are located in separate physical locations from one another.

Load balance design

When the load balancing mode is engaged, both servers respond to DHCP queries in an active-active manner. The requests are split evenly between the two DHCP servers in order to distribute the load. In the event that one of the servers is unable to communicate with its failover partner, that server will start handing out leases to all DHCP customers.

2.The use of subnetting, as well as the advantages of network segmentation

I’m not going to go into great into on subnetting because there are a lot of sites out there that cover that topic.

However… in order to configure DHCP ports  scopes effectively, a fundamental knowledge of networks is extremely helpful.

You shouldn’t connect all of your devices to a single massive DHCP pool; rather, you should divide your devices up into their own distinct networks. This also relies on the size of your network; if you have a small network, network segmentation is not nearly as significant as it would be with a larger network.

The advantages of dividing a network up into segments include:

You will have a greater degree of control over the network if you maintain the devices on their own distinct networks. Do your printers require internet connectivity to function properly? Almost certainly not. There is no requirement at all for the computers in the human resources department to communicate directly with the computers in the finance department. By putting each type of device on its own network, you will have a great deal more control over the access they have.

Attackers and viruses can be slowed down significantly by restricting their ability to travel laterally within the network. It is essential to enable firewalls or access control lists at the network level in order to restrict users’ ability to move laterally within the network.

Efficiency of the network

By connecting everything to a single, massive network, a massive broadcast domain will be produced. This could result in a wide variety of problems, including spanning tree loops, broadcast storms, and multicast storms. By segmenting your networks, you can lessen the likelihood of experiencing performance issues by breaking up the broadcast domains.

Control visitor/guest access

It is not desirable for your guest network to have access to the secure network that you use. You will have the ability to filter this traffic and prevent access to your internal network if you separate this traffic to its own network.  In addition to that, I utilize the guest network for Internet of Things–style devices that merely require an internet connection.

  1. Backup DHCP Server

When it comes to giving IP settings to your clients, your DHCP servers are really necessary. In the case that the computer system fails, you will need to restore this server as quickly as you can.

Did you know that by default, Windows will make a copy of the DHCP configuration and save it to this folder located at %SystemRoot%System32DHCPbackup every sixty minutes?

This is wonderful, but it will be of no use to you if the server goes down and you are unable to access the folder.

In the event that you do not have any off-site replication in place, you will need to make a regular copy of the backup folder to another location on a predetermined schedule.

Either by use PowerShell to specify a remote destination or by utilizing a script that copies the folder to a different location, this can be accomplished.

a backup of the DHCP server with the computer name “DC01” -Path in the format “C:DHCPBackup”

In my article titled “Backup and Restore Windows DHCP Server,” I go into further detail on this topic.

  1. DHCP MAC Address Filtering

Through the use of the DHCP MAC address filtering tool, you will be able to restrict or enable the issuance of IP addresses depending on MAC addresses.

This is helpful if you want a DHCP scope to deliver IP addresses to a certain list of devices and you want to do it explicitly. It is also helpful in situations in which undesirable devices on a VLAN are assigned an IP address.

For instance, you may have users who are putting their own personal devices (BYOD) on your protected VLAN. You have the option of include these items in the deny filter. Controlling access to the network in a quick and easy manner can be accomplished through the use of DHCP MAC filtering. Utilizing 802.1x is the superior choice if you are in possession of the necessary time and resources.

Related Articles

Leave a Reply

Back to top button