This is the ultimate guide to Windows DHCP best practices and tips.
If you have any best practices or tips, please post them in the comments below.
In this guide (4), I share the following DHCP best practices and tips.
- Use DHCP relay agents
- Prevents malicious DHCP servers
- Standby DHCP server
- DHCP MAC address filtering
- conclusion
DHCP relay agent
If you have a centralized DHCP server with multiple networks, you need to use a DHCP relay agent.
Broadcast DHCP messages. The router does not forward broadcast packets. To resolve this issue, you can enable the DHCP relay proxy function on the router/switch to allow DHCP broadcast packets to reach the device.
You will need to look at the router documentation for the command to enable the relay agent.
source
Cisco configures the DHCP relay agent
HP Configure DHCP relay
Prevents malicious DHCP servers
Have you ever had a user or someone in your IT department plug a switch/router into an available port on the wall? Then, causing the user to be unable to connect to the Internet or other resources, the Helpdesk phone starts exploding?
Rogue DHCP servers are a headache. In addition, they can pose security risks and can be used in various attacks.
The best way to block a malicious DHCP server is on a network switch, which can be done with a network access option called DHCP listening or 802.1x port-based.
DHCP monitoring
DHCP listening is a layer 2 switching function that prevents unauthorized (malicious) DHCP servers from assigning IP addresses to devices.
DHCP works by classifying switch ports as trusted or untrusted. Trusted ports allow DHCP messages, untrusted ports block DHCP messages.
You want devices (computers, printers, phones) to be on untrusted ports so that malicious DHCP servers cannot be plugged in.
Network access based on 802.1x port
802.1x is an IEEE standard for port-based network access control. It is a mechanism that requires a device to authenticate before providing network access.
This benefits not only rogue DHCP servers, but also controlling network access to any device.
802.1x is typically configured at the switch level and requires both a client and an authentication server.
Standby DHCP server
The DHCP server is critical to providing IP Settings to clients. If the system crashes, recover the server as soon as possible.
Did you know that by default Windows backs up DHCP configurations to this folder %SystemRoot%System32\DHCP\backup every 60 minutes
But if the server crashes and you can’t access the folder, that’s no good for you.
If you don’t have any remote backups, you need to periodically copy the backup folder to another location.
This can be done by copying the folder to another location or using PowerShell scripts to specify a remote location.
Backup-dhcpserver -ComputerName "DC01" -path "C:\DHCPBackup"
You can learn more about this in my article “Backing up and Restoring Windows DHCP Servers.”
DHCP MAC address filtering
DHCP MAC address filtering allows you to block or allow IP address allocation based on MAC addresses.
This can be useful if you want the DHCP scope to provide IP addresses for an explicit list of devices. This is also useful if unwanted devices on the VLAN get IP addresses.
For example, you have users who place BYOD devices on your secure VLAN. You can add these devices to the reject filter. DHCP MAC filtering is a quick and easy way to control network access. If you have the time and resources, the best option is to use 802.1x.
conclusion
I’ve been using these techniques for years when managing DHCP servers. If configured correctly, and the DHCP server is set up correctly, this is almost no problem. I hope these tips are useful, so post any DHCP tips or best practices you have in the comments below.
Contents of this document series:
DHCP Best Practices (1)
DHCP Best Practices (2)
DHCP Best Practices (3)
DHCP Best Practices (4)
This article started at BigYoung