How Do You DHCP?

[Carlosinfl]

I have a LAN at work where I manage about 150-200 machines that are all on the 10.1.10.x network and our servers are on the 10.1.1.x network.

I am wondering how or what would you guys suggest as the most effective and or smart way to assign IP's out to clients on your LAN?

I am asking because I inherited a system to me which is beyond frustrating and makes no sense. The system now in place is a DHCP server on Linux that runs LDAP. It basically assigns you the same IP that is bound to your MAC address in the DHCP server. So this way the client is always set dynamically and when it sends a request to DHCP, it gets the IP assigned to it in DHCPd.conf.

The problem with this is I am always having to search for available IP's to bind to a new MAC and it just gets cumbersome and messy. I do like the fact that if you try and connect to the LAN with a MAC not in the DHCPD.conf, you're assigned a 10.1.2.x IP which is not route able to the Internet.

What you you guys do? Any suggestions? My boss is pointing to Windows Servevr 2003 managing our DHCP process however I would like to keep Linux but right now I just want a simple solution and process.

 

[da sponge]

I use W2K3 DHCP and I don't bind anything to MACs (they're called reservations in 200x).

Where is this 10.1.2.x coming into play? If it's not used, remove it and have the 10.1.10.x be the primary scope, no mac reservaitions required.

 

[Sharaz Jek]

strange that the previous admin would go that that much trouble, but i see 2 possibilities.

1) he didnt know the basic behavior of the DHCP request/assign process:

hi. here i am!!!! id like to have an ip, anyone out there?? just in case yes, i used to have IP x.x.x.x, and if its still available, it would sure make my day to have it again!

hi, i am here. i have IPs to give. one sec while i check my database to see if the ip you ask for is on my network, and if its available.

[time passes]

yes, the ip you request is available. would you like to have it?

yesSSS!!!! im IP x.x.x.x again!!! whoop!

generally, unless you have more clients than you have ips, you have a *very* good chance of getting the ip you previously had back, even if you shutdown for a while.


possiblity 2, is the former admin set this whole thing up so that computers that do not belong or are not regocnized (ie, unauthorized) cannot have use of the internet (and likely other company resources).

my advice would be, before you go changing things, i would find out exactly why he set it up like it was. perhaps the company has these sort of requirements. (we do something similar with unknown wireless clients... we force them directly to the internet onto a DMZ network, and give no access to our inside network).

remember, that company resources might not necessarily be yours to do with as you like, so i would advise the appropriate amount of research to find out why things are the way they are, and if its ok if they are changed to something else. (the answer might be no... keep your newb hands off!!!)

 

[JayAre]

First step is VERY critical....

1. Start talking to end users from different departments in your company. Find out what the repercussions would be if you started changing things.

2. Document the structure in writing and analyze what you want to change.

Your boss is correct in going with a win2k3 server for DHCP. If you already have one...it's very simple to activate DHCP.

 

[Nasty_Savage]

He may have done that for tracking purposes, but you can locate and connect to any machine by checking WINS to see what machine has what IP.

 

[da sponge]

He may have done that for tracking purposes, but you can locate and connect to any machine by checking WINS to see what machine has what IP.

Don't even need WINS, just view active DHCP leases. They include the hostname.

 

[horndog]

WINS.. ack! Too much overhead. We use DHCP with DNS on Win2k3

 

[JayAre]

He may have done that for tracking purposes, but you can locate and connect to any machine by checking WINS to see what machine has what IP.

WINS is only needed if you have a mixed environment and you have pre-Win2k machines.

 

[Nasty_Savage]

true, and that's what I have...though we should be able to dump it after this next round of upgrades

 

[Carlosinfl]

We do want to restrict unknown machines on the LAN. This is a DoD LAN so many people bring in their laptops running who knows what and that is why if I don't know their MAC address, they try and jack into the LAN, the DHCP server sees an unfamiliar MAC and assigns him a 10.1.2.x IP which basically goes nowhere.

 

[Haven]

Since you are wanting to restrict unknown machines on the LAN, I would leave it as is, but make sure your documentation procedures are easy to follow, and are followed. So when you decommission a laptop, it is also pulled out of the DHCP scope.

I would also maybe change the dhcp.conf file a bit, put unused IPs at the bottom, so when you decommission a laptop its IP is cut and pasted to the bottom of the list with the # or what have you in front of the line so you know it won't be read. Then when you bring up a new machine on the network you edit one of the bottom lines under the #Un-Used IP header, and then cut and paste it up to the top area where the Used IPs are kept.

Though that isn't the most elegant solution, I think with a little time and effort a better plan could be found.

 

[da sponge]

If someone knows the IP layout for your network, what's to stop them from statically assigning themselves and IP and connecting to your network?

 

[Sharaz Jek]

unless the routers and servers each have a copy of the giant mac address table.... nothing.