DHCP Redundancy

Glenn Satchell glenn.satchell at uniq.com.au
Tue Nov 30 03:53:12 UTC 2010

> Nathan McDavit-Van Fleet wrote:
>>  > Be warned that only HALF of the address space is "automatically"
>> taken
>>>  over by the surviving DHCP process (assuming the failover team
>>> consists
>>>  of 2 servers) :
>>>  "If one server fails, the other server will continue to renew leases
>>>  out of the pool, and will allocate new addresses out of the roughly
>>>  half of available addresses that it had when communications with the
>>>  other server were lost. "
>>Is this true? Doesn't this make the fail-over rather limited then? I
>> imagine
>>on a high churn network it wouldn't take long before the server is no
>> longer
>>able to supply enough IP addresses to clients (having only legacy clients
>> on
>>the other half).
> Yes, it's (sort of) true **without admin intervention**. During
> normal ops, the two servers will share any free addresses evenly
> between them - so they will each 'own' about half of the free
> addresses.
> That does not mean they own half of all the leased addresses since
> it's quite possible to have all the clients using just one server.
> You could configure one server to not answer immediately, and so
> clients will normally get their leases from the other one.
> Also, if one server is 'closer' in network terms to most of the
> clients, then that will tend to be favoured. An example of that would
> be if you run a failover pair with one at a central location and
> another on-site in a satellite office. Clients in the satellite
> office will almost always get a reply from the local server long
> before the packets have gone back and forth across the WAN link to
> the central server.
> If one server fails, the other will go into communications
> interrupted mode. It cannot know that the other server is actually
> down* and so it will NOT give out any addresses owned by it's peer.
> However, once the admin tells it that the other machine is actually
> down then the remaining server WILL process the full address space on
> it's own - and operation will be more or less the same as with the
> failover pair operating.
> * There are many topplogies where two servers can be implemented. It
> is far from impossible to get a situation where the two servers are
> unable to talk to each other, but are still able to talk to clients.
> So the servers cannot assume that just because they can't talk to
> each other, that they can safely assume the other one can't talk to
> clients.
> On the other hand, if you do wish to do that, it is not hard to knock
> up a script to detect a server in comms interrupted mode and put it
> into partner down mode. If you decide to do that, then it is your
> decision based on your priorities and knowledge of your network.
> --
> Simon Hobson
Remember though, that just because a dhcp server is down the clients don't
lose their addresses immediately. It is only when the lease expires, or a
client boots without a lease that it won't get one from the server. The
servers continually balance the available leases so that they are split
50/50 between the servers. This is because you can't tell which server may
fail, so it is fairest if they have an equal number potentially available
to them.

The worst case is where you have short lease times and high churn rates.
If you have long lease times (ie greater than the likely length of an
outage) then it's not so much of a problem. There is an inteface using
OMAPI where you can put the surviving server in partner-down mode. This
allows it to allocate leases from the full range of IPs.


More information about the dhcp-users mailing list