Hi.
Can someone provide cons and pros for having DHCP in a data center?
I know this is usually a taboo, but maybe there were developments which alleviate the said issues?
Thanks.
-
Erm...it's good for client PCs in the office next to a data centre...
...printers too if you must...
...but no, still a bad idea for servers, production ones at least - maybe in a dev/test environment I guess, or for VPSs if you had no other choice.
From Chopper3 -
I vote no. Allow me to enumerate my reasons.
1: Reliability.
Having each server machine rely on dhcp in order to have its networking stack come up correctly adds another potential fault. In a server environment, where you're trying as hard as possible to achieve maximum availability, adding another moving part is not a good idea2: Security
DHCP essentially hands anyone plugging into the switch a valid lease. Yes, you can specify that only known MACs get leases, and everyone else is denied, but a better place for this is dynamic VLANs.3: Documentation
Having a central DHCP pool which assigns addresses willy-nilly is insane for a server block. Assigning a server a specific IP via DHCP is less insane, in the sense that having 3 imaginary pink elephants chasing you is less insane than 5.4: Management
Not only to you have to specify in the DHCP server what each machine is assigned to, you have to keep documentation of it. And you have to update ALL of the documentation any time anything changes. New network card? Update documentation and DHCP server and DNS, etc.Simple is better.
Zypher : +1 Pink Elephans made me lol: Thanks for the detailed reasoning. Just a question - does the DHCP reservations provide any value? Or it essentially same as static IP assignment, with the added burden of MAC addresses management?Matt Simmons : If your DHCP server is configured sanely AND is functioning, then it's effectively the same as static IPs...but why add another service dependency? High Availability DHCP isn't something you hear a lot...Travis Bradshaw : I think it's worth mentioning that your reasons for not using DHCP aren't always as strong as they appear. 1) With regard to reliability, DHCP is one of the most reliable protocol/server implementations around. Problems with DHCP tend to be network problems, which tend to take servers offline anyway. 2) You can configure DHCP to be perfectly secure, this is a straw-man. 3) The DHCP configuration *is* great documentation. 4) Same, the configuration *is* the documentation.Travis Bradshaw : Also, in regards to (4) Management. You could replace "DHCP server" with "locally on every server" with no change in meaning.Matt Simmons : Hi Travis, thanks for the comments. Because DHCP as a protocol is reliable, does not make it fault tolerant. If the host is down, no amount of protocol robustness will counteract that. Absolutely DHCP can be done securely. Fortunately, there are better ways to achieve the same security. Such as disabling it. Configuration can make fine documentation, or it can suck. As long as it's replicated away from the machine, replicated into the documentation system, and tied between, then there are no problems.Matt Simmons : And regarding management, if there's a network of any appreciable complexity, chances are good that there's an inventory agent running on the machine (or connecting remotely) that automatically updates the information. The initial work is just the assigning of the IP. As Zypher said, DHCP used to do an initial build-out is useful, if you don't have a dedicated staging area to do that sort of thing. I can see why you have DHCP running, but I disagree that it's worth the potential loss of services. Out of curiosity, what's your lease time for servers?: Thanks for the advice. I must say both points are strong, but I intuitively (which I may regret later), leaning towards DHCP-less environment. Just a question - how practical is managing the static IP addresses via some configuration changes system, like Puppet? Thanks again.Matt Simmons : syrenity: If you find that your IP addresses change often, sure. If they don't, do you suspect that it's something that hsould need changed? Because if it changes without puppet, there's no guarantee that it'll be able to communicate with the puppetmasterFrom Matt Simmons -
I personally believe DHCP is fine in a data center, if using shared address space. DHCP doesn't really mean it has to be dynamic addresses; they can be fixed.
So long as you provide redundant DHCP servers (DHCP failover) so DHCP is always available, things should be fine.
People used to think leaving switch ports to auto-select speeds and duplex was a bad idea, and now I don't know of anyone who spends the time configuring a switch such.
From Michael Graff -
The only exception to not running DHCP in the datacenter is this:
DHCP on a DEDICATED build VLAN so you can PXE boot new servers after you rack them to image them.
There is no other good reason to have DHCP running in a datacenter as already pointed out so well by everyone else.
From Zypher -
Generally speaking, DHCP with reservations is the "best of breed" for IP management in the datacenter, depending (of course) on the particular needs of your data center.
Pros:
- DHCP with reservations allows centralized management of your address space. A single place for administrators to reference and edit your address space without necessarily having to reference the namespace (DNS). This is particular great if your administrators naturally "split" in duties at the network layer.
- DHCP can provide the ability to dynamically assign resources with correct ip in the address space. A reinstalled server comes up with the correct IP immediately without consultation.
- Dynamic allocation is particularly great for rapid server deployment, where automation handles the majority of system installation.
Cons:
- DHCP providers a point of failure that can prevent network access. (It's particularly nasty if one forgets to lower the time out for the dhcp client.)
- Network design must consider DHCP broadcast traffic. This can complicate routing and provide another level of potential failure for network access.
- Managing DNS and DHCP separately is considered burdensome by some.
- A failed DHCP assignment can result in the 169 network being created, firewalls and routers should be suitably prepared.
Very rarely is it wise to run DHCP in a data center without reservations, though some blend is appropriate. In many settings, the "Cons" for DHCP with reservations end up being non-issues (if the router can take out DHCP, well, the servers aren't accessible anyway, etc). It's also commonly a decision regarding size. A datacenter with hundreds or thousands of servers with frequent deployments and reinstallation will certainly use some DHCP, even if it's only for testing/deployment. A datacenter with a few servers will likely be fine with everything statically assigned.
: What about managing MAC addresses, doesn't it introduce another level of burden?Travis Bradshaw : Well, it depends on what you consider a burden. For many deployments, MAC addresses and IP addresses need to be documented anyway. A well crafted DHCP configuration file makes a great documentation for both. Every layer of the network stack is important to datacenter design, so "ignoring" MAC addresses really isn't an option anyway. Most admins I know prefer to reference the DHCP configuration file, rather than having to wade through router/switch configuration (or wait on a network admin to have time to respond).: Hi Travis. Thanks for the excellent points, I really deliberated hard which way would be the best for me, and currently I still thinking that DHCP-less environment is more attractive, as long as I manage to run the machines IP's using some remote configuration system.Travis Bradshaw : No problem. Glad I could help. Good luck. :)From Travis Bradshaw
0 comments:
Post a Comment