22-19
Cisco CNS Network Registrar User’s Guide
OL-6240-02
Chapter 22 Advanced DHCP Server Properties
Setting DHCP Forwarding
VPN and Subnet Allocation Tuning Parameters
Consider these tuning parameters for VPNs and on-demand address pools.
• Keep orphaned leases that have nonexistent VPNs—Network Registrar usually maintains leases that
do not have an associated VPN in Network Registrar’s state database. You can change this by
enabling the DHCP attribute delete-orphaned-leases. The server maintains a lease state database
that associates clients with leases. If a scope modification renders the existing leases invalid, the
lease database then has orphaned lease entries. These are typically not removed even after the lease
expires, because the server tries to use this data in the future to reassociate a client with a lease. One
downside to this is that the lease database may consume excessive disk space. When you enable the
delete-orphaned-leases attribute, such lease database entries are removed during the next server
reload. However, be cautious when enabling this attribute, because rendering leases invalid can
result in clients using leases that the server believes to be free. This can compromise network
stability.
• Keep orphaned subnets that have nonexistent VPNs or address blocks—This is the default behavior,
although you can change it by enabling the DHCP attribute dhcp enable delete-orphaned-subnets.
As the DHCP server starts up, it reads its database of subnets and tries to locate the parent VPN and
address block of each subnet. With the attribute enabled, if a subnet refers to a VPN that is no longer
configured in the server, or if the server cannot locate a parent address block that contains the subnet,
the server permanently deletes the subnet from the state database.
• Keep the VPN communication open—This is the default behavior, although you can change it by
disabling the DHCP attribute vpn-communication. The server can communicate with clients that
reside on a different VPN from that of the server by using an enhanced DHCP relay agent capability.
This is signaled by the appearance of the vpn-id suboption of the relay-agent-info option (82). You
can disable the vpn-communication attribute if the server is not expected to communicate with
clients on a different VPN than the server. The motivation is typically to enhance network security
by preventing unauthorized DHCP client access.
Setting DHCP Forwarding
The Network Registrar DHCP server supports forwarding DHCP packets to another DHCP server on a
per-client basis. For example, you might want to redirect address requests from certain clients, with
specific MAC address prefixes, to another DHCP server. This can be useful and important in situations
where the server being forwarded to is not one that you manage. This occurs in environments where
multiple service providers supply DHCP services for clients on the same virtual LAN.
Enabling DHCP forwarding requires implementing an extension script. The DHCP server intercepts the
specified clients and calls its forwarding code, which checks the specified list of forwarded server
addresses. It then forwards the requests rather than processing them itself. You attach and detach
extensions to and from the DHCP server using dhcp attachExtension and dhcp detachExtension.
The DHCP forwarding feature works like this:
1. When DHCP is initialized, the server opens a UDP socket, which it uses to send forwarded packets.
To support servers with multiple IP addresses, the socket address pair consists of INADDR_ANY
and any port number. This enables clients to use any one of the server’s IP addresses.
2. When the DHCP server receives a request from a client, it processes these extension point scripts:
–
post-packet-decode
–
pre-client-lookup
–
post-client-lookup