Recovery protocol - minimize outage time

[Simon Hobson]

Amanda Edades <ampaed1 at gmail.com> wrote:

> ... I am not sure if a single server can handle potentially up to 350,000 leases being renewed every 60 seconds for 16+ minutes

To which the obvious response is "don't set a short lease time" !
Setting very short lease times is a recipe for problems - it artificially increases the load on your server (typically just when you don't need it), and it also increases the effect of high server load.

Eg, say you load up your server to the point where it misses some requests. With a lease of (say) 2 hours, a client will start trying to renew at 1 hour into the lease (ie 1 hour left). It will try harder and harder as time goes on but it will only drop off the network after a full hour. That means you could take the DHCP servers offline completely for up to an hour and the only devices affected would be those newly joining without a current lease.

Set your lease to 60 seconds and clients will attempt to renew at 30s. After just another 30 seconds the device will drop off the network. That doesn't give you much time between a problem occurring and the helldesk phones going into meltdown !

Plugging your numbers in, 350,000 leases means roughly 350,000 renewals/hour with a 2 hours lease - or just under 100/second. With a 60 second lease, that makes it around 700,000 renewals per *minute*, or heading on for 12,000 renewals/second. That latter figure will take some serious server capacity and performance tweaking to handle. But to make it worse, if you don't have some very high spec server and it lags behind, it'll have to handle several times that load as clients will probably not wait long before they send another renewal request, then a shorter time, then a shorter time before they broadcast a Discover packet (which means even more server load). You don't need much of a backlog and the load rockets, the backlog increases, and your network falls over as devices fall off it.