Whether in an existing network or a new one, there is one aspect of the design that cannot be ignored: deciding whether the IP address distribution will be dynamic (automatic) or manual (one by one) or, most commonly, a combination. of the two.
By choosing to distribute them dynamically, you are choosing to use a Dynamic Host Configuration Protocol (DHCP) service somewhere on your network, and there may be a few tricks for that regardless of the server you use. For this discussion, I will describe how to use user classes on a Windows DCHP server to specify a range of IP addresses and assign range-specific DHCP options.
In the background, DHCP is a protocol between the server and the client in which the server automatically provides IP addresses to clients when they join a network, rather than the addresses being assigned manually per device.
The DHCP function in a network can be performed by different types of hardware (security devices, L3 switches, DHCP servers), but it doesn’t have to be just one of them; it may be what works best for what you are trying to do. A common DHCP configuration that I use is to run the service on a security device to host IP address ranges pooled as a subnet for dynamic distribution (scopes) that only need Internet access, such as IoT or guest networks. Then I run a separate DHCP server to handle devices and scopes within the domain accessing internal resources.
There are many reasons to choose DHCP over static allocation, the most important of which is ease of use. In most companies, there will be at least one DHCP server on the network serving IP addresses from at least one scope that will be delivered to devices as they connect to the network. Scopes are configurable and can range from two IP addresses to thousands.
Microsoft’s DHCP server handles as many scopes as you need and has a fairly simple GUI for configuration and administration. It also supports subsets of scopes, called classes, to help organize addresses by users and devices in a logical way. User classes and provider classes allow you to assign DHCP options to groups of clients by specifying policies that will apply to some users or devices, but not all within the same scope. Classes within scopes can be useful if you want to separate a group of devices into a scope segment while maintaining dynamic hosting. For example, I recently used user classes to assign addresses of a particular scope to SD-WAN users working remotely. Because the network between the DHCP server and the proxy server that configured the VPN links to the clients was virtual, I used user classes to distinguish SD-WAN clients from native clients.
Both the DHCP user classes and the provider classes are identifiers that use a minimum of 1 octet within the IP address request sent from the DHCP client to the DHCP server. Its purpose is to define policy criteria such as labels denoting class, vendor-specific information, or to specify DHCP servers. By using user or provider classes with DHCP policies, you can specify device types and organize which range receives IP addresses within a given scope. There are several ways to use DHCP policies, but I will show how to use user classes on a Windows DCHP server to specify a range and assign range-specific DHCP options on that class.
How to implement user classes
To implement user classes, you must first connect to the DHCP server located in your domain. As long as your DHCP server is a Windows 2012 or later server, the following steps will apply.
First open the DHCP Microsoft Management Console (MMC) snap-in and connect to the server. Once you have it open, right-click on the IPv4 icon to access the drop-down menu and click on Define User Classes:
In the “DHCP User Classes” dialog box, you will see the existing user classes by name and description. To add a new one, just click “Add …”.
In the “New Class” dialog, you will need to add the display name, description, and ASCII name of the class. The display name and description are really only for your own organization, but having them describe what you are trying to use the class for can help make it easier to identify them later.
The ASCII field is the important area that will act as the actual “label” for the packets arriving at the DHCP server. For this field, do not use spaces between words and be sure to be case-sensitive as it is case sensitive. I’ve had mixed success with special characters. Some, like hyphens or underscores, work, and some, like pound signs, don’t. I have not seen restrictions on the use of characters in the Microsoft documentation, so please be aware of that. Be sure to make a note of what you put there for later and click “OK” when you’re done. The “Binary” field to the left of the ASCII field will be filled in automatically as you fill in the ASCII name.
Once your new user class has been added, click “Close” to exit this dialog.
Back in the main DHCP MMC snap-in, expand the scope to which this user class will apply, right-click on the “Policies” folder and select “New Policy …” from the drop-down menu.
In the “Policy Name” field, enter a name that makes sense to you and your team when you review it later. Fill in the “Description” field with the purpose for which you want to use this policy. Click Next”.
In the “DHCP Policy Configuration Wizard”, click “Add” to add a condition for the policy.
In the “Add / Edit Condition” dialog, use the drop-down menu to change the “Criteria:” field from Provider Class to User Class.
Change the “Value:” field to the new user class you just created.
Click the “Add” button when all your selections are correct.
Then press “OK” to close the dialog and returning to the setup wizard, click “Next” to continue.
On the next screen you are presented with an option. You can use the default range for that scope or you can specify a range for those devices. In the example below, I select “Yes” for a specific range of IP addresses and specify the ranges below that. Once you specify the ranges, the wizard will show what percentage of the available reach you are reserving for this policy. In the following example it is 15%. Click “Next” when you are done with these options.
On the next screen of the wizard, you can configure unique settings for the policy by selecting the “Provider Class” drop-down item, such as “DHCP Standard Options”, “Microsoft Options”, and so on.
Then select the “Available Options” check boxes below. Click “Next” when you have made all your selections.
The next page of the wizard presents a summary of the selections you have chosen. If they are correct, click “Finish” to close the dialog.
On a Windows server, the user class must be applied to the network interface to be recognized. To apply it, open a command prompt as administrator. Enter “ipconfig” to confirm that you are not in the correct range or that you do not have the correct options configured.
To configure the user class, type “ipconfig / setclassid ethernet “testuserclass”“, But replacing testuserclass with the name of the user class you created.
If successful, once you reboot and run ipconfig again in an admin console, you will see that the policies have been applied. In my case, an IP address has been assigned from the range defined by the policy.
Copyright © 2021 IDG Communications, Inc.