7

Can someone provide cons and pros for having DHCP in a data center?

I know this is usually a taboo, but maybe there were developments which alleviate the said issues?

Thanks.

SyRenity
  • 3,159
  • 11
  • 55
  • 79

6 Answers6

15

I vote no. Allow me to enumerate my reasons.

1: Reliability.
Having each server machine rely on dhcp in order to have its networking stack come up correctly adds another potential fault. In a server environment, where you're trying as hard as possible to achieve maximum availability, adding another moving part is not a good idea

2: Security
DHCP essentially hands anyone plugging into the switch a valid lease. Yes, you can specify that only known MACs get leases, and everyone else is denied, but a better place for this is dynamic VLANs.

3: Documentation
Having a central DHCP pool which assigns addresses willy-nilly is insane for a server block. Assigning a server a specific IP via DHCP is less insane, in the sense that having 3 imaginary pink elephants chasing you is less insane than 5.

4: Management
Not only to you have to specify in the DHCP server what each machine is assigned to, you have to keep documentation of it. And you have to update ALL of the documentation any time anything changes. New network card? Update documentation and DHCP server and DNS, etc.

Simple is better.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
  • 1
    +1 Pink Elephans made me lol – Zypher Jan 04 '10 at 18:07
  • Thanks for the detailed reasoning. Just a question - does the DHCP reservations provide any value? Or it essentially same as static IP assignment, with the added burden of MAC addresses management? – SyRenity Jan 04 '10 at 18:10
  • If your DHCP server is configured sanely AND is functioning, then it's effectively the same as static IPs...but why add another service dependency? High Availability DHCP isn't something you hear a lot... – Matt Simmons Jan 04 '10 at 18:23
  • 2
    I think it's worth mentioning that your reasons for not using DHCP aren't always as strong as they appear. 1) With regard to reliability, DHCP is one of the most reliable protocol/server implementations around. Problems with DHCP tend to be network problems, which tend to take servers offline anyway. 2) You can configure DHCP to be perfectly secure, this is a straw-man. 3) The DHCP configuration *is* great documentation. 4) Same, the configuration *is* the documentation. – Travis Bradshaw Jan 04 '10 at 21:13
  • Also, in regards to (4) Management. You could replace "DHCP server" with "locally on every server" with no change in meaning. – Travis Bradshaw Jan 04 '10 at 21:14
  • Hi Travis, thanks for the comments. Because DHCP as a protocol is reliable, does not make it fault tolerant. If the host is down, no amount of protocol robustness will counteract that. Absolutely DHCP can be done securely. Fortunately, there are better ways to achieve the same security. Such as disabling it. Configuration can make fine documentation, or it can suck. As long as it's replicated away from the machine, replicated into the documentation system, and tied between, then there are no problems. – Matt Simmons Jan 05 '10 at 03:17
  • And regarding management, if there's a network of any appreciable complexity, chances are good that there's an inventory agent running on the machine (or connecting remotely) that automatically updates the information. The initial work is just the assigning of the IP. As Zypher said, DHCP used to do an initial build-out is useful, if you don't have a dedicated staging area to do that sort of thing. I can see why you have DHCP running, but I disagree that it's worth the potential loss of services. Out of curiosity, what's your lease time for servers? – Matt Simmons Jan 05 '10 at 03:20
  • Thanks for the advice. I must say both points are strong, but I intuitively (which I may regret later), leaning towards DHCP-less environment. Just a question - how practical is managing the static IP addresses via some configuration changes system, like Puppet? Thanks again. – SyRenity Jan 05 '10 at 16:23
  • syrenity: If you find that your IP addresses change often, sure. If they don't, do you suspect that it's something that hsould need changed? Because if it changes without puppet, there's no guarantee that it'll be able to communicate with the puppetmaster – Matt Simmons Jan 05 '10 at 23:56
  • Fear is never a reason to not do something. An active server should have a static IP. A small number of IPs cut out to be in the DHCP pool for PXE booting is a very nice luxury. But management is key. If you can't measure it you can't manage it, if you can't manage it you shouldn't be running it. – toppledwagon Feb 04 '11 at 08:29
14

Generally speaking, DHCP with reservations is the "best of breed" for IP management in the datacenter, depending (of course) on the particular needs of your data center.

Pros:

  • DHCP with reservations allows centralized management of your address space. A single place for administrators to reference and edit your address space without necessarily having to reference the namespace (DNS). This is particular great if your administrators naturally "split" in duties at the network layer.
  • DHCP can provide the ability to dynamically assign resources with correct ip in the address space. A reinstalled server comes up with the correct IP immediately without consultation.
  • Dynamic allocation is particularly great for rapid server deployment, where automation handles the majority of system installation.

Cons:

  • DHCP providers a point of failure that can prevent network access. (It's particularly nasty if one forgets to lower the time out for the dhcp client.)
  • Network design must consider DHCP broadcast traffic. This can complicate routing and provide another level of potential failure for network access.
  • Managing DNS and DHCP separately is considered burdensome by some.
  • A failed DHCP assignment can result in the 169 network being created, firewalls and routers should be suitably prepared.

Very rarely is it wise to run DHCP in a data center without reservations, though some blend is appropriate. In many settings, the "Cons" for DHCP with reservations end up being non-issues (if the router can take out DHCP, well, the servers aren't accessible anyway, etc). It's also commonly a decision regarding size. A datacenter with hundreds or thousands of servers with frequent deployments and reinstallation will certainly use some DHCP, even if it's only for testing/deployment. A datacenter with a few servers will likely be fine with everything statically assigned.

Travis Bradshaw
  • 241
  • 1
  • 4
  • What about managing MAC addresses, doesn't it introduce another level of burden? – SyRenity Jan 04 '10 at 18:15
  • Well, it depends on what you consider a burden. For many deployments, MAC addresses and IP addresses need to be documented anyway. A well crafted DHCP configuration file makes a great documentation for both. Every layer of the network stack is important to datacenter design, so "ignoring" MAC addresses really isn't an option anyway. Most admins I know prefer to reference the DHCP configuration file, rather than having to wade through router/switch configuration (or wait on a network admin to have time to respond). – Travis Bradshaw Jan 04 '10 at 18:17
  • Hi Travis. Thanks for the excellent points, I really deliberated hard which way would be the best for me, and currently I still thinking that DHCP-less environment is more attractive, as long as I manage to run the machines IP's using some remote configuration system. – SyRenity Jan 05 '10 at 17:06
  • No problem. Glad I could help. Good luck. :) – Travis Bradshaw Jan 07 '10 at 03:07
2

The only exception to not running DHCP in the datacenter is this:

DHCP on a DEDICATED build VLAN so you can PXE boot new servers after you rack them to image them.

There is no other good reason to have DHCP running in a datacenter as already pointed out so well by everyone else.

Zypher
  • 36,995
  • 5
  • 52
  • 95
1

Why are people so worried about DHCP in the data centre?

  • DHCP makes management easier
  • In the MS world at least, DHCP is very reliable
  • If worried, make sure it is the only workload on the DHCP server
  • Understand how leases work. A DHCP server being down is far from being a disaster, clients (including servers) will continue to work
  • There are number of ways to make MS DHCP highly available that are documented and supported by MS
  • Use reservations, agree that in general you don't want server workloads to have dynamically assigned addresses
  • DHCP, DDNS and Active Directory all couple together nicely
  • These topics are mostly covered in other posts here
  • There seems to be a lot of emotion on this debate here and on other forums. Why? Neither is 'right' or 'wrong' and even a hybrid solution can be used. The size of your infrastructure, the amount of change, your organisation's operational maturity, your appetite or aversion to risk, your service levels, your staffing levels, etc, etc, all factor in to these things

Disclaimer - I've implemented DHCP in the data centre and had no issues when I was an infrastructure manager, but now as a consultant for many customers I wouldn't do it. It all depends ....

The following is copied from MS. Think this through and think about why you worry so much about DHCP in the data centre:

If clients receive address allocations from a DHCP server, it is important to be able to predict how they will be affected by any DHCP server downtime. In general, the longer the lease period, the lesser the effects will be if the DHCP downtime remains short. For example, if client lease periods are set to the default of 8 days, clients do not attempt to renew the lease until 50 percent of this period (4 days) has lapsed. If the original DHCP server is unavailable at this time, the client continues with this leased address until 87.5 percent of the lease period (7 days) and then attempts to renew with any DHCP server. With clients attempting to renew after 4 days, even if the DHCP server were to remain unavailable for 2 days, clients would not reach the 87.5 percent rebinding state. Therefore, you do not normally need to worry about any outage that is within 25 percent of the lease duration. Similarly, the shorter the lease times, the shorter the time available to recover the DHCP server.

user156009
  • 11
  • 1
1

I personally believe DHCP is fine in a data center, if using shared address space. DHCP doesn't really mean it has to be dynamic addresses; they can be fixed.

So long as you provide redundant DHCP servers (DHCP failover) so DHCP is always available, things should be fine.

People used to think leaving switch ports to auto-select speeds and duplex was a bad idea, and now I don't know of anyone who spends the time configuring a switch such.

Michael Graff
  • 6,588
  • 1
  • 23
  • 36
0

Erm...it's good for client PCs in the office next to a data centre...

...printers too if you must...

...but no, still a bad idea for servers, production ones at least - maybe in a dev/test environment I guess, or for VPSs if you had no other choice.

Chopper3
  • 100,240
  • 9
  • 106
  • 238