module 4 - assign ip address using dynamic host configuration protocol (dhcp)

8/12/2019 Module 4 - Assign IP Address Using Dynamic Host Configuration Protocol (DHCP)

1/46

Ing. Rayner Durango E. MsigMCSE, MCT

Module 4 Allocating IPAddressing by Using Dynamic

Host Configuration Protocol


2/46

Overview

Adding and Authorizing the DHCP ServerService.

Configuring a DHCP Scope.

Configuring DHCP Reservations andOptions.

Configuring a DHCP Relay Agent.

Configuring DHCP Policies.

IP Address Management

Fuente: Microsoft Official Curriculum Course 2277


3/46

Adding and Authorizing the DHCP Server Service

Why Use DHCP? What Is Automatic Private IP Addressing?

How DHCP Allocates IP Addresses

How the DHCP Lease Generation ProcessWorks

How the DHCP Lease Renewal ProcessWorks

How a DHCP Server Service Is Authorized



4/46

Why Use DHCP?


DHCP reduces the complexity and amount of administrative work by usingautomatic TCP/IP configuration

Manual TCP/IP Configuration

IP addresses are entered manuallyIP address could be enteredincorrectly

Communication and networkissues can result

Frequent computer movesincrease administrative effort

Automatic TCP/IP Configuration

IP addresses are supplied

automatically

Correct configuration informationis ensured

Client configuration is updatedautomatically

A common source of networkproblems is eliminated


5/46

What Is Automatic Private IP Addressing?


APIPA automatically self-configures addresses when there is noDHCP server available

Advantages

Serves as a DHCP server failovermechanism for small networks

Automatically assigns an IPaddress in a specific range

Disadvantages

Forces assignment of addressestypically not used

Conceals possible connectivityproblems

Does not work outside 169.254.x.xsubnet

Is not routable


6/46

How DHCP Allocates IP Addresses


DHCP Server

DHCPDatabase

IP Address1: Leased to DHCP Client1

IP Address2: Leased to DHCP Client2

IP Address3: Available to be leased

DHCP Client2:IP configurationfrom DHCP server

Non-DHCP Client:Static IPconfiguration

DHCP Client1:IP configurationfrom DHCP server

Lease Renewal

Lease Generation


7/46

How the DHCP Lease Generation Process Works


DHCP client broadcasts a DHCPDISCOVER

packet1

DHCP servers broadcast a DHCPOFFER packet2

DHCP client broadcasts a DHCPREQUESTpacket3

DHCP Server1 broadcasts a DHCPACK packet4

DHCPClient

DHCPServer1

DHCPServer2

DHCP client broadcasts a DHCPDISCOVER packet1

DHCP servers broadcast a DHCPOFFER packet2

DHCP client broadcasts a DHCPREQUEST packet3

DHCP Server1 broadcasts a DHCPACK packet4

DHCPClient

DHCPServer1

DHCPServer2


8/46

How the DHCP Lease Renewal Process Works


DHCP ClientDHCPServer1

DHCPServer2

DHCP Client sends a DHCPREQUEST packet1

DHCP Server1 sends a DHCPACK packet2

50% of leaseduration hasexpired

87.5% oflease durationhas expired

100% oflease durationhas expired

If the client fails to renew its lease, after 50% ofthe lease duration has expired, then the DHCPlease renewal process will begin again after87.5% of the lease duration has expired

If the client fails to renew its lease, after 87.5%of the lease has expired, then the DHCP leasegeneration process starts over again with aDHCP client broadcasting a DHCPDISCOVER

DHCP ClientDHCPServer1

DHCPServer2

DHCP client sends a DHCPREQUEST packet1

DHCP Server1 sends a DHCPACK packet2

50% of leaseduration hasexpired


9/46

How a DHCP Server Service Is Authorized


DomainController

ActiveDirectory

DHCP Client

DHCP Server1 checks with thedomain controller to obtain a listof authorized DHCP servers

Unauthorized

Does not service

DHCP requests

Authorized

Services DHCP

requests

DHCP Server1

DHCP Server2

If DHCP Server1 finds its IPaddress on the list, the servicestarts and supports DHCP clients

DHCP Server2 checks with thedomain controller to obtain a list ofauthorized DHCP servers

If DHCP Server2 does not find its IPaddress on the list, the service doesnot start and support DHCP clientsDHCP client receives IP addressfrom authorized DHCP Server1

DHCP authorization is the process of registering the DHCP Server servicein the Active Directory domain to support DHCP clients


10/46

Configuring a DHCP Scope


What Are DHCP Scopes? What Are Superscopes and MulticastScopes?


11/46

What Are DHCP Scopes?


A scope is a range of IP addresses that are available to be

leased

Scope Properties

Scope name

Exclusion range

Lease duration

Network IP addressrange

Network ID

Subnet mask

LAN A LAN B

DHCP Server

Scope BScope A


12/46

What Are DHCP Scopes?


Example:netsh dhcp server 10.10.0.2 add scope 10.10.0.0 255.255.255.0 FirstScopeNewscope1


13/46

What Are Superscopes and Multicast Scopes?


LAN A LAN A

DHCP Server

Scope A and Scope B

SuperscopeA superscope is used for environments in which multiple subnets make up a network

segment. In these cases, you can create a superscope to contain multiple scopes. Theindividual scopes are in turn dependent on the master superscope. When more than onelogical IP network is used on each physical subnet or network, the configuration is oftencalled a multinet.For example, suppose you have a large research and development company that occupiesthree floors. Each of the floors contains 300 to 400 people. All of these users share the same

gigabit Ethernet segment. Traditionally, each floor would be on its own IP subnet, with a

routed backbone running between the floors. This is impossible in the current scenario,however, because a single Class C subnet cannot handle so many users on each floor.To alleviate this problem you would need to place multiple IP subnets on the same segmentby creating a DHCP superscope. This would allow more than one Class C address to servethe same segment, thereby providing enough addresses to handle all of the machines on the

physical segment.


14/46

What Are Superscopes and Multicast Scopes?


Multicast ScopeA multicast scope allows multicast addresses to be assigned in addition to unicast (single-

computer) addresses. A multicast address is one in which destination hosts can each havethe same IP address, which is useful in one-to many forms of communications, such asmedia streaming. Multicasting is the act of transmitting a message to a select group ofrecipients.Computers join and leave a multicast group by using a protocol known as MulticastAddress Dynamic Client Allocation Protocol (MADCAP). A MADCAP client is allocated aprimary IP Address either statically or through DHCP prior to being allocated a multicast

address by a MADCAP server. The multicast client, in turn, might also be a multicastserver used to support IP multicasting. The multicast server manages the use of themulticast IP address and streams data traffic to members that share the specified scopeaddress.

LAN A LAN B

DHCP Server

Scope BScope A


15/46

Configuring DHCP Reservations and Options


What Is a DHCP Reservation? What Are DHCP Options?

How DHCP-Server, Scope, and Reserved-

Client Options Are Applied How DHCP Class-Level Options AreApplied


16/46

What Is a DHCP Reservation?


A reservationis a specific IP address, within a scope, that is permanentlyreserved for lease to a specific DHCP client

Subnet A Subnet B

Workstation 1

DHCP Server

Workstation 2

File andPrint Server

IP Address1: Leased to Workstation 1IP Address2: Leased to Workstation 2IP Address3: Reserved for File and Print Server


17/46

What Is a DHCP Reservation?



18/46

What Are DHCP Options?


DHCP optionsare configuration parameters that a DHCP server assigns toclients

DHCP Client

DHCP Server

DHCP Client IP Configuration Data

Clients IP address

Clients subnet mask

DHCP options


19/46

What Are DHCP Options?


How DHCP Server Scope and Reserved Client


20/46

How DHCP-Server, Scope, and Reserved-ClientOptions Are Applied


DHCP option applied at theserver levelDHCP option applied at thescope levelDHCP option applied at thereserved-client level

Scope A Scope B

Windows XP

DHCP ServerWindows 98

Windows XP

Router

File and PrintServer

Scope A Scope B

Windows XP


Windows XP

Router

File and PrintServer

How DHCP Server Scope and Reserved Client


21/46

How DHCP-Server, Scope, and Reserved-ClientOptions Are Applied



22/46

How DHCP Class-Level Options Are Applied


DHCP option applied at theclass level

Scope A Scope B


Windows XP Windows XP

Router Router

File andPrint Server


23/46




24/46




25/46

Configuring a DHCP Relay Agent

What Is a DHCP Relay Agent? How a DHCP Relay Agent Works

How a DHCP Relay Agent Uses Hop

Count How a DHCP Relay Agent Uses BootThreshold



26/46

What Is a DHCP Relay Agent?


A DHCP relay agent is a computer or router that listens forDHCP/BOOTP broadcasts from DHCP clients and then relays thosemessages

DHCP Server

Client

DHCP Relay Agent

Client Client Client

Routers

(NonRFC 1542Compliant)

Unicast

Broadcast

Subnet A Subnet B

Broadcast

l k


27/46

How a DHCP Relay Agent Works


RouterNon-RFC 1542 CompliantClient1

DHCP Relay Agent

Client2

DHCP Server

Client3Router(NonRFC 1542 Compliant)Client1

DHCP Relay Agent

Client2

DHCP Server

Client3

Client1 broadcasts a DHCPDISCOVER packet1

Relay agent forwards the DHCPDISCOVER message to the DHCP server2

Server sends a DHCPOFFER message to the DHCP relay agent3

Relay agent broadcasts the DHCPOFFER packet4

Client1 broadcasts a DHCPREQUEST packet5

Relay agent forwards the DHCPREQUEST message to the DHCP server6

Server sends a DHCPACK message to the DHCP relay agent7

Relay agent broadcasts the DHCPACK packet8

l


28/46

How a DHCP Relay Agent Uses Hop Count


The hop count threshold is the number of routers through whichthe packet can be transmitted before it is discarded

DHCP Relay Agent 2

DHCP Server

Hop Count = 2

DHCP Relay Agent 1

H DHCP R l A U B Th h ld


29/46

How a DHCP Relay Agent Uses Boot Threshold


DHCP Server 2

DHCP Server 3

DHCP Relay Agent

Boot Threshold = 10 seconds

Local DHCPServer

Theboot thresholdis the time the DHCP relay agent will wait fora DHCP server response before forwarding the request

C fi i DHCP P li i


30/46

Configuring DHCP Policies

What Is DHCP Policies? Policy Based Assignment (PBA)

How DHCP PBA works

How DHCP PBA processing


Wh t I DHCP P li i ?


31/46

What Is DHCP Policies?

Fuente: http://technet.microsoft.com/en-us/library/dn425039.aspx

DHCP Policies

Allows you to create IPv4 policies that specify custom IP address andoption assignments for DHCP clients based on a set of conditions.

The Policy Based Assignment (PBA) feature allows you to groupDHCP clients by specific attributes based on fields contained in the

DHCP client request packet. PBA enables targeted administration andgreater control of the configuration parameters delivered to networkdevices with DHCP.

P li B d A i t (PBA)


32/46

Policy Based Assignment (PBA)


PBA

1. A subnet has a mix of different types of clients: desktop computers, printers,IP phones, and other devices. You want different types of clients to get IPaddresses from different IP address ranges within the subnet. This is possibleusing DHCP policies if the devices have different vendors. For example:

Printers can get IP addresses from 10.10.10.1 to 10.10.10.9.

IP phones can get IP addresses from 10.10.10.10 to 10.10.10.49.

Desktop computers can be assigned IP addresses from 10.10.10.50 to10.10.10.239.

Additional devices can be assigned IP addresses of 10.10.10.240 to10.10.10.254.

By specifying a different IP address range for different device types, you canmore easily identify and manage devices on the network.



33/46



PBA

2. In a subnet which has a mix of wired and mobile computers, you might wantto assign a shorter, 4 hour lease duration to mobile computers and longer, 4 daylease duration to wired computers.

3. You want to control who gets access to the network by providing a DHCP

lease to only a known set of clients based on MAC address.

4. Employees bring in their own devices such as smartphones and tablets towork and you want to manage network traffic or control network access basedon device type.

5. You want to provide a different set of scope options to different types ofdevices. For example, IP phones can get a different Boot Server Host Name(TFTP server) and Bootfile Name option.



34/46



PBA

In this example:

Subnet A contains DHCP client devices of several different types includingworkstations, printers, and IP phones.

A DHCP server on another subnet is configured to provide leases to thesedevices from scope A.

Polices are configured at the scope level to control IP address range and at theserver level to specify lease duration.

P li B d A i (PBA)


35/46



PBA Works

DHCP client requests are processed as follows:

1. A client on subnet A submits a DHCPREQUEST that is sent to the DHCP servervia DHCP relay.

2. The clientsvendor class and MAC prefix are included in the DHCPREQUEST

packet along with theGateway IP Address(GIADDR).

3. The DHCP server uses the GIADDR to determine that the client requires alease from scope A, and begins processing policies in that scope.

4. Since scope B does not apply, these policies are ignored.

5. Based on the vendor class and MAC prefix values provided, the client requestmatches conditions of policy A3.

6. After all scope polices are processed, server level policies are processed andthe client also matches conditions of policy 1.

7. After all policies are processed, the DHCP server returns an IP addressconfiguration to the client using the settings specified in policies A3 and 1.

H DHCP PBA k


36/46

How DHCP PBA works


PBA Works

DHCP policies are rules that you can define for DHCP clients. You can define a singlepolicy, or several. Characteristics of DHCP policies include:

Policy level: Polices can apply at the server level or the scope level. Server levelpolicies are processed for all DHCP client requests received by the server. Scope levelpolicies are processed only for DHCP client requests that apply to a specific scope.

Processing order: Each policy has an associated processing order that is uniquewithin a server or scope. Policies with a lower numbered processing order are

evaluated before higher number policies. If both scope and server level policiesapply to a client, the scope level policies are always processed before any server levelpolicies.

Conditions: The conditions specified in a policy enable you to evaluate clientsbased on fields that are present in the DHCP client request. If a client requestmatches the conditions in the policy, the settings associated with a policy will beapplied to the client by the DHCP server when it responds to the DHCP request.

Settings: Settings are network configuration parameters (ex: IP address, options,lease duration) that are provided to DHCP clients in the DHCP server response.Settings enable you to group clients by applying the same set of network parametersto them.

Enabled/Disabled: Policies at the scope or server level can also be enabled ordisabled. A policy that is disabled is skipped when processing incoming DHCP clientrequests.

H DHCP PBA i


37/46



PBA Processing

Since you can configure multiple policies at both the scope level and server level,each policy is assigned a processing order. The processing order can also bemodified, assuming more than a single policy exists. The following conditions exist:

1. When processing DHCP client requests, the DHCP server evaluates each clientrequest against the conditions in all applicable policies, based on their processingorder.

2. Scope level policies are processed first by the DHCP server, followed by server widepolicies. Theoretically, a client can match the conditions of several scope policies andalso several server policies.

3. If a client satisfies the conditions of more than 1 policy, it will get the combined

settings from all policies that it matched. If the same option setting is provided inmultiple policies, the client will use the setting from the first policy that is processed.

H DHCP PBA i


38/46



PBA Processing

For example, assume that policy-1 has an option value for 003 Router and policy-2 hasan option value for 006 DNS Servers, and a client request matches both policies. TheDHCP server will assign a default gateway value (003 Router) using policy-1 and a DNSserver value using policy-2. However, if policy-1 has the higher processing priority (avalue of 1)and also has an option value for DNS server, the client will get both therouter and DNS server option values from policy-1. The DNS server option value in

policy-2 is ignored because policy-2 has a lower processing priority (a value of2).

A policy does not need to be configured with all option values that you have alreadyconfigured at the scope or server level. If a policy client has requested an optionwhich is not present in the policy but has been configured in scope level or serverlevel options, these options are applied to the client in the server response. However,if you wish to specify options for certain clients, you can include these option settingsin policies and they will have a higher priority than scope or server level options. Theonly type of option setting that has a higher priority than those configured in policesare options that you configure for a reservation.



39/46


Overview IPAM IPAM Modules

IPAM Arquitecture




40/46


Fuente: http://technet.microsoft.com/en-us/library/hh831622.aspx

IPAM

IP Address Management (IPAM) in Windows Server 2012 is a framework fordiscovering, monitoring, managing and auditing IP address space on a corporatenetwork. IPAM provides the following features:

Automatic IP address infrastructure discovery.

Highly customizable IP address space display, reporting, and management.

Configuration change auditing for DHCP and IPAM services.

Monitoring and management of DHCP and DNS services.

IP address lease tracking.

IPAM Modules


41/46

IPAM Modules


IPAM Modules

The IPAM feature consists of four primary modules. The following sections provide a briefdescription of these modules.

IPAM discovery

IPAM discovery requires access to Active Directory in order to discover networkinfrastructure servers. This discovery is necessary to enable IPAM services. Discovery

allows administrators to enumerate servers running Windows Server 2008 or later withthe DNS Server, DHCP Server and AD DS role services installed. Administrators can alsomanually add or delete servers to define a custom scope of administrative control. Thescope of discovery can be modified in real-time by selecting or removing domains andspecific server roles.

IPAM Modules


42/46

IPAM Modules


IPAM Modules

IP address space management

The IPAM address space management (ASM) feature provides the ability to efficiently view,monitor, and manage IP address space on the network. ASM supports IPv4 public andprivate addresses, and IP addresses can be dynamically issued on the network or providedas static IP addresses. Sorting can be based on custom fields, such as region, Regional

Internet Registries (RIR), device type, or customer name. A network administrator can trackIP address utilization and threshold-crossing status, or display utilization trends. IPAMASM tools address the IP address space management problem in a growing distributedenvironment by ensuring better planning, accountability, and control. IPAM also enablesan administrator to detect overlapping IP address ranges defined on different DHCPservers, find free IP addresses within a range, create DHCP reservations, and create DNSrecords.

IPAM Modules


43/46

IPAM Modules


IPAM Modules

Multi-server management and monitoringIPAM enables administrators to monitor and manage multiple DHCP servers and monitormultiple DNS servers spread across various regions from a centralized console.Administrative tasks are frequently repetitive across multiple servers. The ability to executethese tasks uniformly across servers reduces both the effort involved as well as theprobability of error. The multi-server management (MSM) feature enables an administratorto easily edit and configure key properties of multiple DHCP servers and scopes across theorganization. IPAM also facilitates monitoring and tracking of DHCP service status andutilization of DHCP scopes. IPAM also enables tagging of servers with built-in and user-defined custom field values and to visualize these servers and group them into logicalgroups and sub-groups. IPAM helps to monitor the health of a DNS zone on multiple DNSservers by displaying the aggregated status of a zone across all authoritative DNS servers.IPAM also tracks the service status of the DNS and DHCP servers on the network.

IPAM Modules


44/46

IPAM Modules


IPAM Modules

Operational auditing and IP address tracking

Auditing tools enable tracking potential configuration problems on IP infrastructureservers. IPAM provides the ability to view consolidated configuration changes on managedDHCP servers and the IPAM server. Details are tracked such as server name, user name,and the date and time a configuration change was made. IP address lease tracking isavailable to aid forensics investigations by collecting lease logs from DHCP, DC and NPSservers. IPAM enables history tracking for IP address leases and user logins. This enables

tracking of IP address activity correlated with MAC addresses, user names, host names andother parameters.

IP Address Arquitecture


45/46



IPAM Arquitecture

An IPAM server is a domain member computer. You cannot install IPAM on an ActiveDirectory domain controller.

There are three general methods to deploy IPAM servers:

1. Distributed: An IPAM server is deployed at every site in the enterprise.

2. Centralized: One IPAM server is deployed in the enterprise.Hybrid: A central IPAM server deployed with dedicated IPAM servers at each site.

There is no communication or database sharing between different IPAM servers in theenterprise. If multiple IPAM servers are deployed, you can customize the scope ofdiscovery for each IPAM server, or filter the list of managed servers. A single IPAM server

might manage a specific domain or location, perhaps with a second IPAM serverconfigured as a backup.



46/46


IPAM Arquitecture

IPAM will periodically attempt to locate network policy servers, domain controllers, DNSservers, and DHCP servers on the network that are within the scope of discovery that youspecify. You must choose whether these servers are managed by IPAM or unmanaged. Inthis way, you can select different groups of servers that are managed or not managed byIPAM. To be managed by IPAM, server security settings and firewall ports must beconfigured to allow the IPAM server access to perform required monitoring andconfiguration functions. You can choose to configure these settings manually, orautomatically using Group Policy Objects (GPOs). If you choose the automatic method,then settings are applied when a server is marked as managed and settings are removedwhen it is marked as unmanaged. The IPAM server will communicate with managedservers using an RPC or WMI interface. IPAM monitors domain controllers and NPSservers for IP address tracking purposes. In addition to monitoring functions, severalDHCP server and scope properties can be configured from using IPAM. Zone statusmonitoring and a limited set of configuration functions are also available for DNS servers.

module 4 - assign ip address using dynamic host configuration protocol (dhcp)

Documents