On most networks, DHCP is a critical
networking service. When the DHCP service is offline, most clients
cannot function and may be unable to work at all. For most
organizations building redundancy, reliability, and security into their
DHCP service can help alleviate undesired and unexpected DHCP
networking outages.
Windows Server 2012 builds on top of
previous DHCP server services by leveraging several features that can
enhance DHCP reliability as outlined in the proceeding sections.
Link-Layer Filtering
Link-layer filtering or MAC address filtering
is a feature of the Windows Server 2012 DHCP service that can be
enabled to provide a higher level of security to DHCP leases.
Link-layer filtering basically can restrict
which devices are allowed and which devices are denied the ability to
obtain a DHCP lease from the DHCP server. For this feature to function,
the server must be enabled to support the Allow / Deny Link Layer
Filter lists, and the lists must be populated.
In many DHCP deployments, it can be
cumbersome for administrators to manually enter each network-connected
device’s MAC address before it can be granted a DHCP lease, so
link-layer filtering may seem like it is out of reach. One way to avoid
this issue is to deploy DHCP in a phased approach. First, deploy DHCP
services without Link Layer Filtering enabled. Later, after all clients
have connected to the network, add leases to the filter lists as leases
are obtained. This can even be performed with DHCP reservations. For
example, suppose you set up a DHCP scope on Monday morning and later
that afternoon most of your clients have obtained a lease. You can
simply select and right-click a single or a set of current leases and
select Add to Filter and Allow or Deny depending on which filter list
you want the system to be on, as shown in Figure 1.
Figure 1. Adding a DHCP lease to the Allowed link-layer filter list
After adding all your leases to the
appropriate filter list, in the DHCP console right-click the IPv4 node
and select Properties. On the Filters tab check the check boxes to
enable Allow or Deny Lists, as desired.
DHCP Reservations
A DHCP reservation is a predefined
relationship between an IP address and a system’s MAC address. This
configuration allows a system to remain configured for DHCP, but it
will always get the same IP address that is predefined or reserved for
it, hence the name reservation. Reservations are quite useful on
business networks for mobile devices and printers; the mobile device or
printer can always be contacted at the same IP address for access and
for remote management and so on. The flip side is that if that printer
or mobile device moves to another office or network, it will be DHCP
ready and will connect to the network without manual network
configuration.
Using DHCP reservations
along with link-layer filtering allows a DHCP administrator to quickly
identify new or unidentified machines and quickly block their access.
For example, identified machines can be granted leases, and then all of
those leases can be converted to reservations and added to Allow filter
lists, and finally, an IP address exclusion list can be created for all
IP addresses not currently defined in the reservation list, essentially
stopping all new leases from occurring. The only issue with this
scenario is that when a new valid machine joins the network the DHCP
scope changes need adjustments to allow this new system to connect. In
addition, when machines have both wireless and wired network cards,
each card requires a different reservation.
You can create DHCP reservations using two
different processes. The first and most common process is to manually
create a reservation; the second much easier process is to convert a
DHCP lease into a reservation. To manually create a DHCP reservation,
follow these steps:
1. Collect the desired
MAC address from the system that will be associated with this
reservation. You can do this on a Windows machine in a command prompt
by using the Ipconfig /all command and recording the physical address entry.
2. Open the DHCP console and expand the IPv4 node.
3. Expand the desired scope, select and right-click the Reservations node, and select New Reservation.
4. Enter a descriptive name, IP address, and MAC address for the system, and click Add to create the reservation, as shown in Figure 2.
Figure 2. Manually creating a DHCP reservation.
5. When that
reservation is completed, the window clears to allow for another
reservation to be created. Click Close to return to the DHCP console.
To create a reservation
from an existing lease, simply open the IPv4 scope and select the
Address Leases node in the tree pane, locate the lease in the center
pane, right-click the desired lease or multiple leases, and select Add
to Reservation.
This completes the reservation-creation process.
Configuring Reservation-Specific DHCP Scope Options
Sometimes devices are on the same network but
require different DHCP scope options. One example could be a kiosk
machine that should not have a default gateway or an IP phone that
requires additional scope options that are not desired on all DHCP
clients. This can be accomplished with reservation-specific DHCP scope
options. To create a reservation-specific scope option, create a
reservation in the tree pane, expand the Reservations node, and
specifically select the desired reservation and select Configure
Options. Proceed to select and configure the desired options and save
the changes by clicking OK when completed. These reservation-specific
options override both scope and server options when configured.
