Multiple DHCP Scopes per Interface

Topics:

•	What are Multiple DHCP Scopes per Interface?

•	Benefits of Multiple DHCP Scopes

•	How Do Multiple DHCP Scopes per Interface Work?

What are Multiple DHCP Scopes per Interface?

Often, DHCP clients and server(s) reside on the same IP network or subnet, but sometimes DHCP clients and their associated DHCP server(s) do not reside on the same subnet. The Multiple DHCP Scopes per Interface feature allows one DHCP server to manage different scopes for clients spanning multiple subnets.

Benefits of Multiple DHCP Scopes

Efficiency – A single DHCP server can provide IP addresses for clients spanning multiple subnets.

Compatible with DHCP over VPN – The processing of relayed DHCP messages is handled uniformly, regardless of whether it comes from a VPN tunnel or a DHCP relay agent.

Multiple Scopes for Site-to-Site VPN – When using an internal DHCP server, a remote subnet could be configured using scope ranges that differ from the LAN/DMZ subnet. The scope range for the remote subnet is decided by the “Relay IP Address” set in the remote gateway.

Multiple Scopes for Group VPN – When using an internal DHCP server, a SonicWALL GVC client could be configured using scope ranges that differ from the LAN/DMZ subnet. The scope range for GVC client is decided by the “Relay IP Address (Optional)” set in the central gateway.

Compatible with Conflict Detection – Currently, DHCP server performs server-side conflict detection when this feature is enabled. The advantage of server-side conflict detection is that it detects conflicts even when the DHCP client does not run client-side conflict detection. However, if there are a lot of DHCP clients on the network, server-side conflict detection can result in longer waits for a full IP address allocation to complete. Conflict Detection (and Network Pre-Discovery) are not performed for an IP address which belongs to a “relayed” subnet scope. The DHCP server only performs a conflict detection ICMP check for a subnet range attached to its interface.

How Do Multiple DHCP Scopes per Interface Work?

Normally, a DHCP client initiates an address allocating procedure by sending a Broadcast DHCP Discovery message. Since most routes do not forward broadcast packets, this method requires DHCP clients and server(s) to reside on the same IP network or subnet.

When DHCP clients and their associated DHCP server are not on the same subnet, some type of third-party agent (BOOTP relay agent, IP Helper, etc.) is required to transfer DHCP messages between clients and server. The DHCP relay agent populates the giaddr field with its ingress interface IP address and then forwards it to the configured DHCP server. When the DHCP server receives the message, it examines the giaddr field to determine if it has a DHCP scope that could be used to supply an IP address lease to the client.

Figure 14. Multiple subnets sharing one DHCP server

The Multiple DHCP Scopes per Interface feature provides security enhancements to protect against potential vulnerabilities inherent in allowing wider access to the DHCP server. The DHCP Advanced Setting page provides security with a new tab for Trusted Agents where trusted DHCP relay agents can be specified. The DHCP server discards any messages relayed by agents which are not in the list.

Figure 15. Trusted DHCP relay agents