Policy Based Assignment DHCP – Windows Server 2012

A) Introduce

Policy Based Assignment is a new feature in DHCP (Windows Server 2012). Enable policy-based IP address allocation. Policy Based Assignment (PBA) allows to group and classify Client Devices together based on some properties in the Client Request packet, then allocate IP according to the policy defined by the administrator.

The purpose of implementing PBA is to easily classify devices and arrange them into a certain IP range, from which it is easy to administer and set up some optimal features.

The principle of operation of PBA is based on the fields (fields) in the Client Request packet:

• Vendor Class
• User Class
• MAC address
• Client Identifier
• Relay Agent Information

Multiple Device Type : Classify important devices based on device properties (Vendor Class: IP Phone, Printer, Desktop) and arrange them into a certain IP range, next the administrator can set QoS (Quality of Service) ) for that IP range.

Multiple Roles: can classify and separate client devices (Laptop, desktop, server) into a separate IP range (IP range for server, IP range for desktop). Moreover, if the company has laptop clients and they connect by Wireless in the company. And if the configuration of IP allocation for these Wireless connected devices is in the form of Relay Agent. Then you can use the Relay Agent Information field to classify these wireless devices to a certain IP range and configure the Lease Duration time (the time the IP address lasts) to be 4 hours. It is also possible to disable (disable) Dynamic Update DNS for these devices (simply because they are not needed).

Virtualization : Most virtual machines (Virtual machines) you create in a virtualized environment use a certain range of MAC Prefixes (for example, Prefix MAC with the first 6 numbers being 00-15-5D). Based on this MAC Prefix, you can configure PBA to allow virtual machines within a certain IP range, from which you can set DHCP options such as: Default Gateway, DNS, Lease Duration.

B) Description

Address allocation:

1) After the DHCP Server receives the Client Request packet, it will look at the Default Gateway to determine which subnet the packet is coming from, then it will search in the Scope list to find the Scope that matches that subnet.

2) Next, the DHCP Server will check in the Scope whether the Policy Based Assignment is configured or not, and if so, prioritize the policies in the PBA.

3) If considering policies in PBA that do not match (match) with all policies, then DHCP Server will grant normal IP as defined in Scope. If appropriate, proceed to grant IP in the policy that we specify.

4) A client request can match multiple conditions in that policy. And will grant the lowest IP address in that IP range (172.1.1.31) , if the lowest IP address has been granted, the 2nd IP address will be taken to grant (172.1.1.32). In addition, in a policy where multiple IP ranges can be configured (for example, there are 2 ranges, range 1 is 172.1.1.30 – 172.1.1.40 and range 2 is 172.1.1.70 – 172.1.1.80), the system will use range 1 first, if range 1 runs out, then take range 2 out). In case the 2 ranges are full and there are no more IP addresses to grant, the client request packet will be dropped by the DHCP Server.

Allocate Option : Each policy in the Scope will have a separate Option (DNS, Default Gateway, Lease Duration). If the client matches any policy, it will receive the IP and options in that policy.

C) Deploy Policy Based Assignment

Model :

• AD machine (172.1.1.1/24) : Install DHCP role and configure PBA. With 2 policies, one for Client Computer (in terms of MAC Address), one for virtual machines in Hyper-V1 Server (in terms of MAC Prefix).
• Client Computer: Windows 8.1, please provide an IP address in the range 172.1.1.34 – 172.1.1.35
• Hyper-V1 : have 2 virtual machines VM1 and VM2 apply for an IP address in the range 172.1.1.37 – 172.1.1.39, create a virtual machine can refer to at this.

Perform :

1) Install DHCP on the AD machine

• Enable and license DHCP Server in Domain

2) Create a Scope (IP Range, Default Gateway, DNS)

• IP range from : 172.1.1.30 – 172.1.1.40

• Default Gateway : 172.1.1.1 (AD.huypd.com)

• Create and enable permission to use Scope.

3) Create allocation policy for Client Computer

• First, we have to go to the Client Computer, go to Run -> CMD -> type “Ipconfig /all” to see the MAC Address

• Next, on the DHCP Server create a Policy

• Mechanism : AND if all the required conditions are matched, then grant | OR : just match one of the conditions that require us to configure

• Critera: select MAC Address, then enter the MAC Address in the Value box and click Add

• If the policy is satisfied, declare the IP level from which clause to which clause in the Scope we have just created

• Next configure Default Gateway in Option number “003 Router”

• Configure DNS in Option “006 DNS Server”

• Click Finish to finish

• Go to Client Computer type “Ipconfig /renew” and check if the level is correct according to the Policy we just created.

4) Allocate by IP Prefix MAC Address for virtual machines

• After creating 2 virtual machines, we start 2 virtual machines

• Go to virtual machine 1 to see the MAC Address: 00-15-5D-01-02-0b

• Go to virtual machine 2 to see the MAC Address: 00-15-5D-01-02-0C

• Implement New Policy in DHCP Server

• Comparing the two MAC Addresses of the two virtual machines above, we see that they share the same MAC Prefix range (fixed) and start from: 00-15-5D-01 . Proceed to declare in with the value “00155D01*” and stick in the box Appen Wildcard

• 30