DHCP server redundancy between 4503 switches

Unanswered Question
Apr 25th, 2008

We have two core switches 4503 C1 & C2. we have configured C1 switch as DHCP server. In case of Core 1 down we need to activate Core 2 to act as the DHCP server. Do let me know how to acheive DHCP failover between the Core switches.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco_lad2004 Sun, 04/27/2008 - 02:47

with server based DHCP requests, u can have 2 or more servers. hosts requests are forwarded to all available servers, however when servers respond, host accept the 1st offer . so first come, first served basis.

when Cisco devices are used as in ur case, I don't see why the behavior should be any different.So the same range to be assigned is configured on both core switches, and hosts will send requests to both if ip helper command is used for example.

I will stand corrected as I have not tested the above scenario. and look forward to hear more comments on this.

HTH

Sam

That's essentially what I described. However, host-based firewalls are common now and relying on the DHCP servers' ping test for duplicate address detection can lead to problems. The method I described allows for both switches to offer addresses in the same network while not offering addresses in the same range of addresses. So, assuming that you have <128 hosts in a /24 the config would look something like:

sw1:

ip dhcp pool vlan100

network 10.1.1.0 255.255.255.0

! Exclude your gateway address

ip dhcp excluded-addresses 10.1.1.254

! Exclude the last half of the network

ip dhcp excluded-addresses 10.1.1.129 10.1.1.254

sw2:

ip dhcp pool vlan100

network 10.1.1.0 255.255.255.0

! Exclude your gateway address

ip dhcp excluded-addresses 10.1.1.254

! Exclude the first half of the network

ip dhcp excluded-addresses 10.1.1.1 10.1.1.128

cisco_lad2004 Sun, 04/27/2008 - 10:23

in the above config, each switch is effectively only assigning half a /24. what happens when one switch dies ?

What I suggested is that each switch assigns the full /24. when a host gets an offer and accepts it from one Switch it will decline the second switch offer.

in this case, if one of the switches fails all hosts can still obtain an IP address from the other, as full scope is defined on both switches.

HTH

Sam

Which is why the network should be double the size of the number of hosts and this excess capacity is relatively common. One switch is fully capable of offering addresses to all the clients in the LAN. In your solution, one switch could offer the exact same address as the other and you'd wind up with a collision.

I should also mention that it's important for the OP to make sure the DHCP binding table is backed up somewhere because it doesn't persist between reloads.

cisco_lad2004 Sun, 04/27/2008 - 11:04

Ok, I see what u mean now.

for a requirement of /28 number of hosts you would use a full /24. Technically valid, but waste of IP addresses especially if we are talking public.

With regards to collision, I don't see how this will happen.there should not be any conflicts as a host requesting ip address can accept from one switch and decline from another.

The declined DHCP, would also ensure the IP address has not be assigned already before assigning anything new.

I totally agree on backing up DHCP binding table

Sam

Ok, an example. 2 clients and 2 dhcp servers with identical scopes and empty binding tables. Client 1 requests an address, dhcp server 1 looks for an address (the db is blank so it picks .1), pings it and then extends the offer. DHCP server 2 does the same thing and lets say that server 1 wins and enters the address in its copy of the binding table. Client 2 comes up and the process repeats, only this time server 2 wins and also offers .1. Now because the clients have the windows firewall turned on server 2's dup address detection doesn't find the collision.

All of the above doesn't happen if the scope's address space is split between the 2 servers and so there's no possibility of offering the same address. For a /28 worth of hosts you'd need a /27, n-1 etc etc. You're right in that the address space is not efficiently used but most of the internal networks I come across have this kind of excess capacity. Something about the last byte of the netmask being something other than 0 scares people :-)

cisco_lad2004 Sun, 04/27/2008 - 12:32

Yes of course, if FW is turned on conflict may occur.

as I said before, I have not tested my suggested solution so I will proceed with caution.

DHCP does not only rely on PINGs for its checks but on gratuitous ARP from users as well as database. Granted, timers settings with database transfer can cause "blind spots".

I am also not sure how SW2 behaves before assigning an IP (that it has not spotted as already assigned due to FW as u said) if it has an entry for the same IP address on its CAM table seen from another port. would a snoop binding entry be created when the host's MAC address is already known.

I will put my scenario in test bed and validate ( I shall use /25 :-))

Sam

pradeepkum Mon, 04/28/2008 - 03:20

Thanks. In present set up I have configured Core 1 4503 as DHCP server having 10 Vlan pools and lease time 1 week. Also running HSRP between the Core 1 & 2. So I have given the default gateway as the virtual HSRP IP in the pool.

1) In case of Core 1 (DHCP server)down, will the hosts able to work with core 2 with the old IP got from the core 1?

2) If I manually create the same pools for the 10 vlans in Core 2, will the core 2 learn the IP's already in the network ?

3) How to acheive automatic DHCP redundancy between the core switches?

Thanks in advance.

cisco_lad2004 Fri, 05/02/2008 - 10:28

1-I have tested few things, and I think jcoke's suggestion is a good one.

u cab achieve redundancy by allowing DHCP to assign twice more than what u need. so DHCP1 has a scope and DHCP2 has another..totally different yet summarisable.

2-u need a database that logs the binding of DHCP.

3-the above will be dynamic.

HTH

Sam

cisco_lad2004 Sun, 05/04/2008 - 22:29

Gaurav,

This is the syntax : Switch(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file

as I see it you can write to the same database from 2 sources. however bear in mind that this database will only be used if the switch actually reboots. Until then, each switch woudl use its own snoop bindind database located in the switch itself.

Take a look at this document:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/dhcp.html

HTH

Sam

cisco_lad2004 Sun, 05/04/2008 - 22:57

Yes there is, it was covered by JCoke.

take the subnet u need and double it and make each subnet as a scope in each Switch.

please look at suggestion from JCoke.

HTH

Sam

Actions

This Discussion