Using Reservations to Ensure DHCP Server Availability and Security

by Mitch Tulloch [Published on 24 March 2005 / Last Updated on 24 March 2005]

In high security environments you can use Reservations to ensure the security and availability of DHCP servers.

A setup some companies use to ensure both the security and availability of DHCP is to use DHCP servers but create a reservation for each and every client machine on the network. That way, whenever a client leases an address using DHCP it always receives the same address from the DHCP server. How is this different from static addressing? Well, for one thing, you don't have to walk around to every machine on your network and manually configure its IP address settings. Instead, you can do it centrally on your DHCP server, provided you know the MAC addresses of every client on your network. One way of doing that is to begin by configuring your DHCP server with no reservations and let it lease out addresses to all the clients on your network. Then run the netsh dhcp dump command on your DHCP server to dump the DHCP database, which gives you the IP address and MAC address of each client machine. Then, with a little ingenuity, you could write a script that uses the netsh dhcp add reservedip command to take your dumped DHCP database and create reservations for all your clients using the presently leased IP addresses. Of course, if you want clients to have specific IP addresses instead of a randomly assigned one, then you've got a lot more work ahead of you!

Why on earth would anyone want to use this all-reserved approach? Better security. Since each client always has the same IP address, it's easier to interpret address information in your firewall logs. And since you're still using DHCP you can easily make changes to your default gateway and other TCP/IP settings, and you can do this without opening up the possibility of clients changing their addresses in the process. Finally, ensuring clients always have the same address makes it easier to track the Internet usage of each user, if your company has a policy that requires this to be done.

See Also

Featured Links