Topology
The topology can be saved locally, and then enlarged to view, so that it can be seen more clearly.
7.1 DHCP deployment analysis
In this network architecture, there are two devices that can deploy DHCP. One is an egress firewall, and the other is to use a separate server cluster to deploy a DHCPServer, which can be Linux or Windows. It is recommended to use a server to build DHCP for the reasons A few, 1. If you use a firewall to build a DHCP service, it will increase the burden of the firewall, because the firewall does not only run IPSEC ***, L2TP ***, NAT, routing, packet inspection functions, it needs to create a lot of session information, and Processing, and the amount of PCs in the headquarters is also very large, so at this time, we need to ensure that the firewall does not increase the burden. As for the server, the virtualization is currently mature. If a good server is deployed in a virtualized environment, it is very easy Many services are virtualized, whether it is cold standby or hot standby. Of course, hot standby is supported by Windows in 2012. Cold standby means that only the first server is used first, and when the first DHCP server fails, the second one is used. Of course, it does not have a backup function. The two servers do not know which IP addresses the other party has allocated to the low end. In 2012, it supports the active and standby function, that is, after the master assigns the address, it will synchronize the information to the backup, so that the backup will act as the master. When used, you can continue to work in the previous state.
7.2 Windows DHCP setup
Note: DHCP uses Windows 2003, because I used a virtual environment to build 2003 to simulate a working DHCP server, so I did not deploy 2008 or 2012, which takes up more resources, in fact, the configuration is very simple. The server's IP address is 192.168.88.251
1. In the Add/Delete program———Add/Delete Windows Components————-Find Network Service————Select the DHCP service, OK, please note that you need to insert the corresponding CD.
Open the corresponding DHCP service
Create a new scope or scope
Note: In this way, a corresponding address pool is created, and the corresponding network segment, gateway, DNS, and Domain are assigned. This can be defined according to your own needs. Add a comment when adding your name to facilitate subsequent distinction. In addition, you need to pay attention to the range of allocation. I have seen that the addresses corresponding to 252, 253, and 254 are all used. Therefore, when assigning, the recommended range is 1~250, such as 192.168.19.1~250 or 251.
Correspondingly, 4 address pools were created, mainly used in this project. In fact, there are VLAN 22 and 23, but there is no example here, so I will not add them. The corresponding gateway is 254, and the DNS address is 192.168 .88.251 is actually a DHCP server. Because it is a simulated environment, one server serves as several service functions. It should be noted that the function of VLAN 1 here is mainly the address assigned to the wireless AP, so the range is not very large, and it is enough to meet the needs.
Result verification [Test here with the visitor hall and high-level personnel to see if the PC below can obtain the corresponding IP]
After checking, no address was obtained.
DHCP relay configuration [the most easily overlooked point]
Analysis: Why can't I get an address? Although we have defined a corresponding address pool in DHCP, when the PC requests an address, it sends a DHCP message, and then it passes through the access layer switch with a VLAN tag and forwards it to the core layer. After receiving it, the core layer will check whether the corresponding DHCP service function is enabled. If it exists, it will assign an address to the PC. However, we define that the DHCP service is on the server and not on the switch, so the switch will directly The message was discarded without any response, because the switch itself did not open the service, and it did not know who could assign an address to the PC. At this time, you need to configure the relay function. The relay function tells the core switch where to find the DHCP server.
[Core-A]dhcp enable
[Core-A]interface vlan 1
[Core-A-Vlanif1]dhcp select relay
[Core-A-Vlanif1]dhcp relay server-ip 192.168.88.251
Description: The DHCP function must be turned on first, and then the Enable the relay function under the corresponding VLAN, and then define where the server address is. Note that all VLANs need to be typed, such as VLAN 1, 19, 20, 21. As long as the customer needs to obtain an address, the VLAN needs to be on the bridge.
The VLANs of the two core switches need to be configured. There is no distinction between active and standby, and both need to be defined. Because if the main fails and the standby is used as a gateway, there is no corresponding relay function, so DHCP cannot be obtained, so here are all Need to configure.
Verify the results again
When the PC is connected to the visitor hall, the corresponding IP address is 192.168.19.1, and the gateway and DNS parameters are all OK.
When the PC is connected to the Boss, the corresponding IP address is 192.168.20.1, and the gateway and DNS parameters are OK
Customer problem reflection, optimization and summary
Although DHCP has been deployed and the client has obtained the address, no problem was found during the test, but after a period of use, the customer reported that it takes a long time to obtain the address after the PC is reconnected to the switch. , Or it is the first time that the address cannot be obtained, which is more obvious especially for laptops.
Analysis: Why does this happen? Check the port status here. When I connect a PC to a switch, the switch interface will be up, but because the interface has the STP function enabled, STP calculation will be performed first. Although it is MSTP, it is not good for edge interface processing. We can Look at the status.
We can see that E0/0/2 has just been UP, but the corresponding STP state is DISCARDING, discarding state. This is the initial state of MSTP, indicating that MSTP is still being calculated. What is the role of the interface to be calculated.
Now it has changed to Learning state
It becomes Forwarding at the end. This time may pass 30~50s, and we know that when a PC connects to a network, if it does not get an IP address in 10~15s, it will automatically get a 169 address. , So some customers are slow to obtain the address or cannot obtain the address directly.
optimization
1. In addition to the uplink interface, turn off STP for the customer's network (not recommended)
2. Enable the edge port function to allow the customer's network to skip STP detection (recommended).
Note that the first reason is not recommended: If the customer connects a device privately, and then it is still a loop, STP can effectively block it, but if it is closed, it will cause a loop. If a broadcast storm occurs, the network is likely to be paralyzed. The server cluster switch does not need to be configured, because the server will not move easily under normal circumstances. In addition, approval is required to enter, so it is not necessary to configure it.
Take Boss as an example. Both the visitor hall and finance need to be configured. Just refer to it. Note that the core equipment does not need to be configured.
[boss]port-group 1
[boss-port-group-1]stp edged-port enable
Description: Finance and visitor hall Just follow this configuration. The port-group here does not need to be associated with the interface, because we have already associated it at the very beginning, so you can configure it directly here.
You can see that all interfaces are configured with edge port functions.
Final test result verification
Connect to the Boss device again this time to see the port status and DHCP acquisition.
You can see that it is connected to E0/0/3 this time, and the forwarding state is directly after viewing it, and it has not experienced the previous discarding, listening, and other states.
to sum up
The two easiest points for DHCP are 1, DHCP relay 2, and the existence of STP. The other is that DHCP allocates so many address pools. Why does it know that the client needs that? In fact, this is the relay function. When a data packet arrives at the core switch, the switch will check the relay configuration and send it to the DHCP server as a unicast packet. The source address of the packet is the network segment of the corresponding VLAN. After DHCP is received, the assigned address is based on this VLAN. In this case, what you request for VLAN 19 is naturally the network segment corresponding to VLAN 19.
Another feature function of DHCP relay .
Assuming that there are 2 DHCP servers in this network segment, A is used by default, and B is used when A fails. Then we can't think about the configuration just like that, we need to configure a DHCP Group.
[Core-A]dhcp server group 1
[Core-A-dhcp-server-group-1]dhcp-server 192.168.88.251
[Core-A-dhcp-server-group-1]dhcp-server 192.168.88.250
[Core-A]int vlan 100
[Core-A-Vlanif100]dhcp selec relay
[Core-A-Vlanif100]dhcp relay server-select 1
Description: This configuration means that two DHCP server addresses are defined, the default is Next, use the first one, when the first one is broken, use the second one, and then call under the interface. The calling method is different from before. Before, the IP address was written directly, but here is to call this group.
This article was first published on the public account: Network Road Blog