Symmetric DHCP failover configuration

centos7dhcpisc-dhcp

I have set up a DHCP server on CentOS 7. It runs beautifully, however due to business demands, we are expanding to another site far away. This gives us the opportunity to host a failover DHCP server at this seperate location. The two locations will be connected via a site-to-site VPN.

Proposed DHCP network layout.

In the above image is a summary of our network. We will have the Perth and Melbourne sites, connected over the Internet via a VPN connection. Each site is given a different IP range to operate off. Each site will have their own DHCP server.

I would like to configure the DHCP servers as following:

DHCP 1 should serve as the primary DHCP server for Perth. That is, PC1, PC2 and PC3 will get their IPs off DHCP 1.

DHCP 2 should serve as the primary DHCP server for Melbourne. PC4, PC5 and PC6 will get their IPs off DHCP 2.

In a case where DHCP1 goes down, DHCP2 would take over the Perth site's IP allocation until DHCP1 comes back online, and vice versa. So each DHCP server shall serve as failover for the alternate location.

The only issue I can see here is that the DHCP server can not differentiate between clients in the Perth site, versus clients in the Melbourne site.

Imagining DHCP2 were not responding for some time, what is stopping DHCP 1 from assigning a Melbourne system with a Perth IP? And once this DHCP configuration is in place, how can I avoid the remote DHCP server acknowledging local requests unless it is in this failover mode?

Best Answer

First off, I'd be rather curious to know why you'd want geographically diverse DHCP servers. Local redundancy, sure -- maintenance, server crash, etc -- but if a site is so hosed that both of a HA pair (or cluster) of DHCP servers was down, I'm betting that you'll have bigger problems to worry about than whether desktop PCs are getting their DHCP requests.

If you're really dead-set on doing this, your VPN will need to be reconfigured -- it'll need to be switched to site-to-site, because you need to be able to route the whole network's traffic back and forth. Also on the subject of the VPN, you'll either need a DHCP relay on the router at each end (to re-transmit requests to the DHCP server at the other site) or else setup the VPN as a bridge, because DHCP is a broadcast-based protocol, and broadcasts don't work so well over routed networks.

Actually making the DHCP servers announce different address ranges for different networks is the easy bit. You just tell each DHCP server "requests coming over the LAN interface get addresses from this range, and requests coming over the VPN interface get addresses from this other range". For simplicity, make the ranges for a given site non-overlapping for the two DHCP servers (say, let the Perth-local DHCP server assign addresses to Perth clients from 10.0.0.64/26, and the Melbourne DHCP server assign addresses to Perth clients from 10.0.0.128/26 -- that way there's no chance of the different DHCP servers accidentally assigning the same address to two different clients, because to do that safely you need to share the lease database between the DHCP servers (and that is going to be an absolute nightmare for two DHCP servers which are serving both local and remote clients).

Related Topic