none
DHCP reservations for other mask - is it possible?

    Question

  • Hi,

    We have a network (single broadcast domain) 192.168.1.x (mask 255.255.255.0) with one DHCP server (Microsoft Windows 2008 DHCP server in AD domain). There is a computer lab in the network which we want to isolate from other computers. We can't use VLANs as some users should have access to other computers even if they login at computer lab workstations. So, we are thinking about assigning a strict mask (IP range 192.168.1.64-127 Mask 255.255.255.192) to the computer lab workstations. As there is only one physical network we will make reservations for all these workstations. Is it possible to have a scope for the whole network with wide mask 255.255.255.0 and reservations with other mask in the same IP address range?

    Thank you,

    Leo

     

     

    Wednesday, December 29, 2010 1:49 AM

All replies

  • Unfortunately it is not possible because these subnets are 2 separate with their own subnet ID. In this case DHCR Relay Agent for both of them is required to request appropriate DHCP lease from DHCP server.

     

    MAC reservations in DHCP server must be within the same subnet because MAC addresses are not routable, they are broadcasted only within one network.


    Regards, Krzysztof
    Wednesday, December 29, 2010 7:08 AM
  • Hi Krzysztof,

     

    Thank you for reply. I am afraid there is some misunderstanding.

    Do you mean that any DHCP server doesn't support logical subnetting? It is strange, as logical subnetting is a classic concept. I think, MAC reservation gives a way to distinguish hosts of all subnets except one in which we offer non-reserved leases. On the other hand, for assigning shorter mask to a limited number of hosts we need only a way to assign a mask for the reservation.

    So, I asked if such things are possible in Microsoft DHCP server. Your answer sounds like it is not possible at all. Did I understand you right?

     

    Regards,

    Leo

     

    Wednesday, December 29, 2010 1:48 PM
  • Do you mean that any DHCP server doesn't support logical subnetting? It is strange, as logical subnetting is a classic concept.   Not sure what you mean by that statement?

    Using a Microsoft DHCP server (or any other one that I can think of), you will not be able to configure DHCP Reserved clients with a different subnet mask from the one defined in the address pool.  You do have a wide variety of DHCP options that can be used, so you may need to do some research, unless someone has had a similar experience and has used a custom solution to address this issue.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Wednesday, December 29, 2010 5:30 PM
  • Hi JM,

    My understanding was that Krzysztof said that logical subnetting isn't possible: "In this case DHCR Relay Agent for both of them is required to request appropriate DHCP lease from DHCP server." I simply mentioned that logical subnetting is a well known technology and it would be strange if Microsoft DHCP ignores it at all. Actually, we can use a superscope for a single network with independent (in terms of IP address space) logical subnets. It works fine if one of the subnet scopes is completely filled with reservations and exceptions. But I didn't find a way to create scopes in a superscope which share IP addresses. I know that it is possible in Linux DHCP server (shared networks).

    This is a paragraph from Linux DHCP server Options about mask redefinition for reservations:

     option subnet-mask ip-address;
    The subnet mask option specifies the client's subnet mask as
    per RFC 950. If no subnet mask option is provided anywhere in
    scope, as a last resort dhcpd will use the subnet mask from the
    subnet declaration for the network on which an address is being
    assigned. However, any subnet-mask option declaration that is in
    scope for the address being assigned will override the subnet mask
    specified in the subnet declaration.

    At least for Linux DHCP server it's possible.

    I would be grateful if someone could tell me how to define several subnets which share IP address range.

     

    Regards,

    Leo

    Thursday, December 30, 2010 5:27 AM
  • Hello Leo,

    yes, it need clarification from my side because I replied to your answer not clearly :)

    Let's start once again from the beginning (all post is according to DHCP services on Windows Server)

    You can define as many scopes on DHCP server as you need for example if you implemented VLANs in your environment. In this situation you need to specify IPHelper on switches or any other DHCP Relay Agent to send DHCP broadcast queries to DHCP server for appropriate IP address. Each scope represents separate newtork and has it's own network ID as you know :]

    And in that configuration you can define MAC address reservations in any scope you wish. Would work smoothly.

    But in this specific scenario which you described, you have only one scope 192.168.1.x/24 from which all your DHCP clients pull IPs. You want to set up MAC reservation within this scope but with other network mask. Unfortunately, Windows DHCP server doesn't support this feature at all. When you define MAC reservation within scope, you set up desired IP address for host and its MAC address for its recognition. The rest settings are evaluated from scope's options. So, in this case network mask will be taken from scope configuration and cannot be modified. If you want to have other network mask you need for that new scope with appropriate configuration.

    Unfortunately, in your case new scope with new network mask 192.168.1.x/26 on DHCP is not possible because your new scope range is within existing one 192.168.1.x/24

    You won't be able to create it without network split. You need to create 2 smaller scopes with their own settings and then you will be able to configure appropriate MAC address reservations but for that you need IPHelper on switches and VLANs or DHCP Relay Agent.

    Conclusion, on Windows DHCP server there's no possibility to create any IP reservations with specific network mask.

    I hope this time I was more clear :)


    Regards, Krzysztof
    Thursday, December 30, 2010 10:27 AM
  • Hi Krzysztof,

     

    Thank you very much for the clear explanation. I guessed from my tests that Microsoft DHCP doesn't allow scopes with shared IP addresses. Your prove makes me sure of that.

    Actually, I implemented a scenario with 2 independent smaller scopes 192.168.1.0/25 and 192.168.1.128/25 similar to one you suggested in your post. The IP range of the second scope is completely excluded. It contains reservations only. Apparently, this configuration works fine without DHCP Relay Agent.

     

    Regards,

    Leo

    Thursday, December 30, 2010 2:49 PM
  • I guess with the way you split it up, assuming the network configuration of the server itself is on subnet 192.168.1.0/24, you could do it this way because both 192.168.1.0/25 and 192.168.1.128/25 are essentially dividing up 192.168.1.0/24 into two halves. However, a machine in 1.0/25 will not be able to communicate to a machine on 1.128/25 because of the mask. Is that your intention to disallow communication? Is this for VLANs and set routing between the two VLANs?

    I haven't heard of configuring it in such a fashion, other than for VLANing them, but I'm sure you have your reasons. In such a case, if I needed to have a range of exclusions, I would create a broader IP distribution range engulfing both of the subnets you've descibed into a /24, and just exclude the upper half, but then again, I would probably just make a smaller range in the lower half, using your example, and use the upper range for statically configured machines.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, December 31, 2010 6:44 AM
  • Hi Ace,

     

    Thank you very much for your reply. Yes, I split the whole range into two independent halves just to isolate the computer lab workstations. This way servers also get isolated. I have to use login scripts to add routes to the other half of the network on servers as they have to be accessible from all computers for some users. I'd like to use the scheme which you suggested - to have /24 mask for one scope and /25 for the other scope. Then I'd have to reconfigure computer lab workstations only. But I didn't find a way to define two scopes that potentially (!!!) share IP addresses. When I define 198.168.1.1-127/24 I can't define  198.168.1.128-255/25 as I get an error message "The address range and mask conflict with existing scoop". I also tried 198.168.1.1-255/24 with an exclusion but got the same error. It would be great if I just missed something and such configuration is in fact possible.

     

    Happy New Year! Best wishes to you and your family!

    Leo

    Friday, December 31, 2010 5:26 PM
  • The conflicting scope message was expected. It appears you may possibly need to incorporate Superscopes. Have you tried that?

    And Happy New Year to you and yours, too! :-)

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, December 31, 2010 5:57 PM
  • I tried both - two independent scopes and two scopes in a superscope. The same result.
    Friday, December 31, 2010 6:56 PM
  • To create a superscope, the included member scopes need to be inline or basically in the same 'subnet' (based on the mask) that all machines are configured, meaning if one client gets an IP out of any of the scopes in the Superscope, then can still communicate with each other. It seems that you may non-routable subnets in the scopes.

    See if these links help:

    Superscopes
    http://technet.microsoft.com/en-us/library/cc958938.aspx

    Configuring a DHCP Superscope
    http://technet.microsoft.com/en-us/library/dd759168.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, January 01, 2011 7:30 PM
  • Leo,

    I do not beleive it is possible to accomplish what you are trying to design with one physical wire, no VLAN segmentation, two logical networks, and one MS DHCP Server.

    To use DHCP in this design, you'll need to define two VLANs.  this can be as simple as VLAN a switch, place two NICs in the DHCP server and plug each interface in each segment. 

    If communication is required between these two groups of computers....Routing between these segements is going to be limiting without a gateway because addresses on the 192.168.128/25 network must be sent to the default gateway to be able to communicate with other hosts on the 192.168.1.1/24 segment.


    Visit: anITKB.com, an IT Knowledge Base.
    Saturday, January 01, 2011 7:36 PM
  • Hi Ace,

     

      Sorry, I am slightly confused about your explanation of Superscopes. The second link gives an example of a Superscope of 3 scopes 192.168.1.1-254/24; 192.168.2.1-254/24; 192.168.3.1-254/24. When a client receives an IP address from one of the scopes this client CAN'T communicate with clients that receive their addresses from other two scopes. It's interesting that Microsoft tells nothing about any DHCP relay agents. They have been providing this example since Windows Server 2003.

     

      The first link really interesting and promising. It is the only example where scopes share the same network address: 192.168.1.1-254/22; 192.168.2.1-254/22; 192.168.3.1-254/22. But they gave the example only once for Windows Server 2000 and have never given it after that.

     

    Regards,

    Leo

     

     

    Sunday, January 02, 2011 5:08 AM
  • The way I had implemented it in the far distant past, is when I configured multiple segments with IP ranges that were inline, such as:

    192.168.100.0/24
    192.168.101.0/24
    192.168.102.0/24
    192.168.103.0/24
    etc

    However, I've found it easier to simply create a 192.168.0.0/22 subnet to encompass them all in one reducing the confusion. I don't know of any customer installations that use it. They simply would provide a larger range.

    Maybe for what you are trying to do, Superscopes won't work. I agree with JM, that you must segment them by VLANs or segments and using the layer 3 device to route between the VLAN ports, and not on the one physical segment.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Sunday, January 02, 2011 2:16 PM
  • Hi JM & Ace,

     

    Thank you for your advice. I followed it and rolled back all changes. Apparently it worked, but the DHCP server got unauthorized  several times. I guess it happened then I put exclusion on the whole radge of IP addresses of the second scope.   After that a blue exclamation mark appeared on the scope and on the server itself, and the server changed its status on Unauthorized. To avoid it I had to exclude   all addresses but one, what is awkward configuration. Having such issues (and several others) on the second day of implementation phase and remembering your vision of the configuration I decided to rolled back all changes. This time around New Year we have only two weeks to implement all changes in our environment. So, I will split the network into two VLANs in summer when we have next implementation period as our users have a vocation time.

    Regards,

    Leo

     

    Wednesday, January 05, 2011 3:34 AM
  • Hi JM & Ace,

     

    Thank you for your advice. I followed it and rolled back all changes. Apparently it worked, but the DHCP server got unauthorized  several times. I guess it happened then I put exclusion on the whole radge of IP addresses of the second scope.   After that a blue exclamation mark appeared on the scope and on the server itself, and the server changed its status on Unauthorized. To avoid it I had to exclude   all addresses but one, what is awkward configuration. Having such issues (and several others) on the second day of implementation phase and remembering your vision of the configuration I decided to rolled back all changes. This time around New Year we have only two weeks to implement all changes in our environment. So, I will split the network into two VLANs in summer when we have next implementation period as our users have a vocation time.

    Regards,

    Leo

    I assume you had to exclude the server itself. It's possible that it was conflicting, not sure, since I've never included the whole range when creating scopes. I provide a specific range for scopes so I know by IP address if a machine is static or not, or maybe it's just old fashioned of me!

    Based on JM's recommendations and me in agreement, that two VLANs sounds like the best way to go.

    Good luck with everything!

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, January 05, 2011 3:56 AM