Managing DHCP in large venues – A comprehensive guide for network managers
Network and system administrators in large-capacity venues, such as stadia, megachurches and universities, all encounter a particular set of issues. Offering seamless public Wi-Fi access to crowds of network users is challenging when faced with:
- thousands of simultaneous leases
- sharp spikes in demand during peak times
- separate subnets for staff, vendors and guests, etc.
- managing VLANs for remote staff, visitors and device types
Network administrators need a reliable and easy-to-use DHCP solution that guarantees service uptime and that can comfortably cope with high peaks in demand. However, most DHCP solutions on the market lack the crucial features that network managers need.
Table of Contents
- Do I need an on-site server?
- Moving from Windows Server to Azure, what can I do about DHCP?
- Why can't I set up failover using Windows Server or ISC DHCP?
- Which DHCP failover mode should I use?
- What are the considerations for DHCP lease times in large venues?
- How does a DHCP relay work?
- How can DHCP performance be optimised in a busy/large network?
- What security measures should be implemented for DHCP in large venues?
- How to scale DHCP in a large venue?
1. Do I need an on-site server?
Companies are increasingly migrating IT infrastructure from physical servers to cloud-based solutions like AWS or Azure. However, DHCP (and for that matter, DNS) is one network service that absolutely belongs on-site – it's too critical to move off site, where it will introduce extra latency and be left at the mercy of your internet connection.
Physical, on-site servers offer reliability and performance benefits as they operate within a controlled environment, ensuring robust connectivity and minimal latency. Although virtual serves may offer flexibility and scalability, allowing efficient resource allocation and on-demand provisioning, crucially, they will be subject to performance limitations and will rely entirely on the underlying virtual infrastructure.
Although very suited to certain, less-critical network infrastructure, in large-capacity venues where networks have huge influxes of visitors and very high peak-time demands, an on-site DHCP server copes considerably better and helps ensure service uptime.
2. Moving from Windows Server to Azure, what can I do about DHCP?
If you are currently using Windows server for DHCP and moving network infrastructure to the cloud, you will want to keep your DHCP server on-site. You need a dedicated, on-site DHCP solution that can either replace Windows Server's DHCP function or a server that will act as a relay agent and integrate with Microsoft Azure, including the support of GSS-TSIG algorithm for easy integration with Azure Active Directory.
3. Why can't I set up failover using Windows Server or ISC DHCP?
High-availability failover has long been seen as difficult to set up and manage – only because most DHCP solutions lack crucial features. Those using Windows Server or ISC DHCP for DHCP services will always come across the same issue – they do not efficiently support high-availability failover or redundancy.
Windows Server, for example, has long-standing limitations with its high-availability DHCP solution. Where active-passive redundancy would introduce a storage single point of failure, active-active setups cannot provide IP address continuity, making high-availability failover almost impossible.
ISC DHCP, on the other hand, is complex to set up and is not designed for high-capacity venues which, naturally, introduces scalability and performance issues due to the sheer number of leases required to make the network work.
But failover doesn't have to be difficult.
ApplianSys has designed DNSBOX for DHCP, where high-availability failover can be set up in just a few simple clicks.
DNSBOX200 failover pairs synchronise configuration data, ensuring that they never 'disagree' about the network. They also dynamically share available addresses and information about current leases. Failover can be set up quickly and easily with options to suit all different network topologies and requirements.
4. Which DHCP failover mode should I use?
There are two failover modes for DHCP – active-active and active-passive.
Active-active failover involves distributing network traffic across multiple active devices simultaneously, while active-passive failover uses a primary device for traffic handling and a standby device that activates only when the primary fails.
In a large-capacity venue, active-active failover offers several advantages. To start with, it maximises network performance and capacity by leveraging all active devices, enabling load balancing and efficient use of the available resources. In the event of a failure, the remaining device(s) can continue to handle the network's traffic, reducing the risk of service disruption. This configuration also provides scalability as additional devices can be added to accommodate growing demand.
It should be noted that active-active failover, although practical, could be challenging to set up on previous DHCP solutions, such as Windows Server and ISC DHCP. This is because the devices need to work together, potentially increasing the network's complexity and management requirements.
Active-passive failover, on the other hand, simplifies high-availability failover in large venues. It is easier to configure and takes fewer resources, making it relatively straightforward.
However, during regular use, the standby device remains inactive, which leads to underused resources. In the event of a failover, there could be a potential delay as the standby device assumes control, which may result in service disruptions or increased latency.
Because DNSBOX for DHCP is a specialist, dedicated DHCP server, it can be set up in either active-active or active-passive mode in just a few clicks using the device's intuitive GUI. It can be deployed with a failover unit which is continuously synchronised with the active primary. In the event of a failure, this will ensure there is no impact on network availability, making your network resilient enough to handle high, peak-time demand.
5. What are the considerations for DHCP lease times in large venues?
Setting appropriate DHCP lease times is critical in large venues to strike a balance between IP address usage and efficient network management. Here are the following factors to consider when determining lease times:
- Device roaming: consider the mobility of devices within the venue. Longer lease times accommodate roaming devices, reducing the frequency of address renewal requests.
- Guest vs. staff networks: differentiate DHCP lease times for guest networks (shorter times) and staff networks (longer times) to manage address allocation efficiently.
- Lease time optimisation: adjust DHCP lease times based on the expected duration of device
connections:
- Longer lease times can reduce DHCP traffic and overhead
- Shorter times improve IP address usage
Make sure your server can handle the number of leases you need to provide – especially for peak periods.
6. How does a DHCP relay work?
DHCP relay agents play a crucial role in large-venue networks by facilitating DHCP communication between clients in different subnets and the DHCP server. Their main functions include:
- packet forwarding: relay agents receive DHCP messages from clients in one subnet and forward them to the DHCP server located in another subnet, enabling DHCP communication across subnets.
- option insertion: relay agents can insert additional DHCP options or modify existing options in the DHCP messages, allowing different subnets to be customised and configured individually.
If you have a high influx of visitors, high peak-time DHCP lease demand and a network that is broken down into separate subnets, you need a specialist DHCP server that can handle the traffic from several DHCP relay agents effectively to ensure that DHCP messages are successfully transmitted across all subnets. Not only can DNSBOX for DHCP support that but it can also be integrated with Azure if you have some network infrastructure off-site.
7. How can DHCP performance be optimised in a busy/large network?
In high-capacity environments, DHCP performance optimisation is essential to handle the substantial number of DHCP requests effectively. Below are some of the common ways that DHCP can be optimised for a large-capacity venue:
- DHCP server scalability: implement load balancing techniques or distribute DHCP server responsibilities across multiple servers to handle the increased demand efficiently. For example: setting up active-active failover allows the two DHCP servers to share the workload, which will improve DHCP performance.
- DHCP relay agent placement: strategically position DHCP relay agents to minimise network latency and response times, ensuring timely IP address assignment.
Load balancing is easy to set up on DNSBOX for DHCP because it can be clustered. The DHCP relay agent should ideally be positioned in a location that provides optimal connectivity to both the DHCP clients and the DHCP server. This may involve placing the relay agent on a router or a layer 3 switch that connects the relevant subnets.
8. What security measures should be implemented for DHCP in large venues?
Securing DHCP in large venues is crucial to protect against potential threats and to ensure the integrity of the network. Below are some of the common methods for securing DHCP on a large network:
- DHCP snooping: enable DHCP snooping on switches to validate DHCP messages and prevent unauthorised DHCP servers from operating on the network. This helps mitigate potential rogue DHCP server attacks.
- IP source guard: implement IP source guard to validate the source IP address of DHCP messages, ensuring that only legitimate DHCP servers are allowed to assign IP addresses.
- DHCPv6 guard: if using IPv6, deploy DHCPv6 guard to protect against unauthorised DHCPv6 servers and prevent address configuration issues.
- DHCP options control: control and restrict DHCP options that can be sent to clients, preventing potential security vulnerabilities and ensuring compliance with network policies.
DNSBOX for DHCP has been designed with security in mind, right from the start. The range uses a purpose-built, secure, Linux operating system and can separate traffic onto different IP addresses and multiple NICs to connect different networks/users. Its built-in firewall with remote administration is only allowed over secure links and its AES-encrypted IPsec connections between servers work to authenticate and encrypt all traffic being transmitted. These features work to secure DHCP services in large venues and make the network more reliable.
9. How to scale DHCP in a large venue?
There are two main ways to achieve DHCP scalability in large venues with a substantial number of devices:
- DHCP snooping: enable DHCP snooping on switches to validate DHCP messages and prevent unauthorised DHCP servers from operating on the network. This helps mitigate potential rogue DHCP server attacks.
- Load balancing: implement load balancing techniques, such as round-robin or weighted distribution, to distribute DHCP requests across multiple DHCP servers, ensuring even distribution of workload and optimal performance.
- DHCP server redundancy: deploy redundant DHCP servers in an active-passive or active-active configuration to handle the increased demand and provide fault tolerance.
The DNSBOX for DHCP range has been designed specifically for large networks, which means that scalability is easy and low cost. There are no set limits to the amount of data that the central management device DNSBOX400 can manage. Furthermore, it supports an unlimited number of concurrent administrators and remote secondary servers. It can be used for centralised management of any RFC-compliant DHCP server with additional benefits when used with DNSBOX200.
Managing DHCP in large venues requires careful planning, configuration and implementation of best practices. With proper DHCP configuration, security measures and scalability considerations, network managers can ensure efficient IP address allocation, seamless connectivity and reliable network performance – without the headaches.