DHCP policies¶
An enterprise network has several types of devices – desktops, printers, mobiles, laptops etc. An enterprise administrator would need to ensure that all these different types of device are provisioned appropriately for network connectivity. This requires that they have a valid IP address - either assigned statically or leased out by the DHCP server. An enterprise also has to deal with the scenario of employees bringing in their personal devices such as tablets or smartphones to work place. Bring Your Own Device (BYOD) phenomenon requires the admin to control network access and other network configuration of these devices.
These scenarios require the administrator to deliver different network configuration parameters (DHCP options) to different device types. Using DHCP policies, a new feature of DHCP server in Windows Server 2012, an admin can configure the DHCP server to provide different parameters to devices based on device type.
While this article, illustrates how an administrator can configure different lease durations for different classes of devices using DHCP policies, the same can be extended to any other network configuration option delivered via DHCP including the IP address.
Scenario¶
An enterprise has the following types of devices for which network connectivity is required: servers, desktops, printers, desk phones and mobile phones. The admin would like each type of device to have different lease duration-
- Desktops: Standard lease duration of 8 days (default set for a scope).
- Printers: Lengthier lease duration of 60 days as they are unlikely to be moved around frequently and are expected to be up and running all the time.
- Servers: Server computers which are typically expected to be stationery and up all the time can be configured for a lengthy lease duration of 60 days.
- Desk phones: Again these have similar requirements of lengthy lease duration of 30 days.
- Mobile phones: These devices are expected to move in and out of the network; hence smaller lease duration of just 8 hours is desired.
There are a couple of ways you can define grouping of these devices –
- Vendor Class Identifier. Most devices send this DHCP option with a specific string which helps identify the device type and the vendor. E.g. Nortel phones could have a Vendor Class as "Nortel-i2004-A"**.**
- MAC address – Every DHCP request contain the MAC address of the device. The first 3 bytes of the 48 bit MAC address contain the OUI (Organization Unique Identifier). E.g. One of the common OUI's for Apple devices is 00-1B-63 while HTC uses F8-DB-7F as one of its OUIs.
By defining conditions of a DHCP policy to be based on Vendor Class identifier or MAC address prefix, you can group clients into different device types.
Let’s see how we can define grouping of the different devices:
- Printers: If your organization uses HP printers with JetDirect cards, you can define a new vendor class “"HP printers" with data of the vendor class definition as "Hewlett-Packard JetDirect” on the DHCP server.
- Servers: The server computers can be grouped based on MAC addresses of the network adapter of each server.
- Desk phones: If the desk phones are Nortel IP phones, you can create a vendor Class named “Nortel phone" with data of the vendor class definition as "Nortel-i2004-A" on the DHCP server. Cisco IP phones also send a specific vendor class (for example, 'Cisco Systems, Inc. IP Phone CP-7940G' ) in the DHCP message.
- Mobile phones: All mobiles – depending on the type of mobile could be identified either by the Vendor Class Identifier (like Android phones tend to use a Vendor Class starting with dhcpcd) or by the OUI (MAC address prefix) of the phone vendor (like Apple and HTC).
Configuring DHCP policies with different lease duration¶
Now, given a scope (say 10.0.0.0), we will configure a DHCP policy of each type of device and ensure that they are assigned an IP-address from this scope only for the required lease duration.
For some of the devices listed above, we will add a corresponding Vendor class on the DHCP server as shown in the screenshot below. The value for these created Vendor Classes must be the value that is sent in the Vendor Class field by these devices in the DHCP packet while requesting for an address. One should consult the device documentation to determine the appropriate vendor class used by the vendor of the device.
To create a Vendor class for Nortel Phones, which has a vendor class as “Nortel-i2004-A”, one can go to ‘Define Vendor Classes’ context menu on the IPv4 node in the DHCP MMC and use the following UI in Figure 1 to create the same.
Figure 1: Adding a Vendor Class
Similar one could create a Vendor Class for HP printers with “HP Printer” as the name and say “Hewlett-Packard JetDirect” in the data field and so on for other types of devices. Finally, the DHCP Vendor Class UI would look similar to Figure 2. The first three Vendor Classes exist by default on the Windows DHCP server.
Figure 2: DHCP Vendor Classes
We will now create different policies for each type of device as follows. For example, for the policy for Printers, we will have the condition ‘Vendor Class Equals “HP Printer”.’
Figure 3: Conditions page of Policy for HP Printers
Once the policy is created using the policy creation wizard in DHCP MMC, right click on the policy and go to its Properties. On the General tab, you can set the lease duration for this policy. For printers, we will set it to 60 days.
Figure 4: Setting lease duration on policy properties dialog
We have successfully created a policy for printers that will assign a lease to printers (devices with Vendor Class as “HP Printer”) for duration of 60 days.
In a similar vein, you can create policies for the other type of devices and set the policy lease duration as shown above.
For creating a policy for servers, you can create a MAC-address based policy with all of the servers’ MAC-addresses in the condition of the policy.
Figure 5: Conditions dialog and wizard page for policy for servers
Similarly for policies for mobile phones, the policy could have conditions such that each would signify one of the possible phone vendors. One could attempt to identify Android phones by their Vendor Class Identifier while others like HTC and Apple by their MAC address prefix (OUI).
Figure 6: Conditions dialog and wizard page for policy for phones
Now finally, we have four policies created as shown in the results pane below.
Figure 7: Results pane for policies
For each of these policies, you can configure the lease duration to the appropriate values as shown below.
Figure 8: Policy properties dialog to set the lease duration
Assuming that the scope’s lease duration is default and set to 8 days; all devices that don’t meet any of policies’ criteria will get an IP address with the scope’s lease duration of 8 days.
If the administrator so desires, he/she can even partition the IP-range of the scope such that a specific range is kept aside for printers, another for phones and so on. That has not been depicted in this post but can be done easily using IP-ranges within the policy.
Note: throughout this example, we have showcased creation of a scope-level policy and setting the lease duration for that policy. One can also create a server-level policy and set the lease duration for the same. The lease durations configured via such server level policy would apply to all devices irrespective of which subnet/scope they are present in.
Using PowerShell to configure policies with different lease duration¶
To do the same set of operations as above using PowerShell, we essentially need to create four policies within the scope and set option value 51 (which is lease duration) for each of those policies.
Let us assume, there exists a valid scope 10.0.0.0. We need to create definitions for the Vendor classes on the DHCP server. Vendor classes can be created using the Add-DhcpServerv4Class cmdlet . As specified earlier, for these policies to work properly; the value for data for these created vendor classes must be the value that is sent in the vendor class field by these devices in the packet while requesting for an address . An example for the creation of a vendor class-
Add-DhcpServerv4Class -Name "Printers" -Type Vendor -Data "Hewlett-Packard JetDirect"
Similarly, the Vendor Class definitions for the other type of devices can be configured on the server. Thereafter, the following set of commands would create policies with appropriate lease durations.
Add-DhcpServerv4Policy -Name "Printers" -Description "Policy for printers" -ScopeId 10.0.0.0 -Condition "OR" -VendorClass "EQ", "HP Printer" Add-DhcpServerv4Policy -Name "Servers" -Description "Policy for specific servers" -ScopeId 10.0.0.0 -Condition "OR" -MACAddress "EQ", "0012ABCD34D2", "EQ", "0123AB43CD6E", "EQ", "0A1234ABCDEF" Add-DhcpServerv4Policy -Name "Desk phones" -Description "Policy for Nortel phones" -ScopeId 10.0.0.0 -Condition "OR" -VendorClass "EQ", "Nortel Phones" Add-DhcpServerv4Policy -Name "Mobile phones" -Description "Policy for mobile phones" -ScopeId 10.0.0.0 -Condition "OR" -VendorClass "EQ", "Android" -MACAddress**"EQ", "F8DB7F*", "EQ", "001B63*"**
<# Option 51 takes value as input in seconds #> Set-DhcpServerv4OptionValue -ScopeId 10.0.0.0 -PolicyName "Printers" -OptionId 51 -Value 5184000 <# 5184000 = 60 * (24*60*60). 60 days #> Set-DhcpServerv4OptionValue -ScopeId 10.0.0.0 -PolicyName "Servers" -OptionId 51 -Value 5184000 Set-DhcpServerv4OptionValue -ScopeId 10.0.0.0 -PolicyName "Desk phones" -OptionId 51 -Value 2592000 <# 30 * (24*60*60). 30 days #> Set-DhcpServerv4OptionValue -ScopeId 10.0.0.0 -PolicyName "Mobile phones" -OptionId 51 -Value 28800 <# 8 hours #>