This chapter contains the following sections:
The SonicWALL security appliance includes a DHCP (Dynamic Host Configuration Protocol) server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clients. The Network > DHCP Server page includes settings for configuring the SonicWALL security appliance’s DHCP server.
You can use the SonicWALL security appliance’s DHCP server or use existing DHCP servers on your network. If your network uses its own DHCP servers, make sure the Enable DHCP Server checkbox is unchecked.
The number of address ranges and IP addresses the SonicWALL DHCP server can assign depends on the model, operating system, and licenses of the SonicWALL security appliance. The table below shows maximum allowed DHCP leases for SonicWALL security appliances.
This section provides an introduction to DHCP server options feature. This section contains the following subsections:
The SonicWALL DHCP server options feature provides support for DHCP options, also known as vendor extensions, as defined primarily in RFCs 2131 and 2132. DHCP options allow users to specify additional DHCP parameters in the form of predefined, vendor-specific information that is stored in the options field of a DHCP message. When the DHCP message is sent to clients on the network, it provides vendor-specific configuration and service information. The “DHCP Option Numbers” provides a list of DHCP options by RFC-assigned option number.
The SonicWALL DHCP server options feature provides a simple interface for selecting DHCP options by number or name, making the DHCP configuration process quick, easy, and compliant with RFC-defined DHCP standards.
The SonicWALL DHCP server options feature allows definition of DHCP options using a drop- down menu based on RFC-defined option numbers, allowing administrators to easily create DHCP objects and object groups, and configure DHCP generic options for dynamic and static DHCP lease scopes. Once defined, the DHCP option is included in the options field of the DHCP message, which is then passed to DHCP clients on the network, describing the network configuration and service(s) available.
The SonicWALL DHCP server options feature supports the following standards:
The following sections provide an overview of the Multiple DHCP Scopes per Interface feature:
Often, DHCP clients and server(s) reside on the same IP network or subnet, but sometimes DHCP clients and their associated DHCP server(s) do not reside on the same subnet. The Multiple DHCP Scopes per Interface feature allows one DHCP server to manage different scopes for clients spanning multiple subnets.
Efficiency – A single DHCP server can provide IP addresses for clients spanning multiple subnets.
Compatible with DHCP over VPN – The processing of relayed DHCP messages is handled uniformly, regardless of whether it comes from a VPN tunnel or a DHCP relay agent.
Multiple Scopes for Site-to-Site VPN – When using an internal DHCP server, a remote subnet could be configured using scope ranges that differ from the LAN/DMZ subnet. The scope range for the remote subnet is decided by the “Relay IP Address” set in the remote gateway.
Multiple Scopes for Group VPN – When using an internal DHCP server, a SonicWALL GVC client could be configured using scope ranges that differ from the LAN/DMZ subnet. The scope range for the SonicWALL GVC client is decided by the “Relay IP Address (Optional)” set in the central gateway.
Compatible with Conflict Detection – Currently, the SonicWALL DHCP server performs server-side conflict detection when this feature is enabled. The advantage of server-side conflict detection is that it detects conflicts even when the DHCP client does not run client-side conflict detection. However, if there are a lot of DHCP clients on the network, server-side conflict detection can result in longer waits for a full IP address allocation to complete. Conflict Detection (and Network Pre-Discovery) are not performed for an IP address which belongs to a “relayed” subnet scope. The DHCP server only performs a conflict detection ICMP check for a subnet range attached to its interface.
Normally, a DHCP client initiates an address allocating procedure by sending a Broadcast DHCP Discovery message. Since most routes do not forward broadcast packets, this method requires DHCP clients and server(s) to reside on the same IP network or subnet.
When DHCP clients and their associated DHCP server are not on the same subnet, some type of third-party agent (BOOTP relay agent, IP Helper, etc.) is required to transfer DHCP messages between clients and server. The DHCP relay agent populates the giaddr field with its ingress interface IP address and then forwards it to the configured DHCP server. When the DHCP server receives the message, it examines the giaddr field to determine if it has a DHCP scope that could be used to supply an IP address lease to the client.
|
Figure 24:1
|
The Multiple DHCP Scopes per Interface feature provides security enhancements to protect against potential vulnerabilities inherent in allowing wider access to the DHCP server. The DHCP Advanced Setting page provides security with a new tab for Trusted Agents where trusted DHCP relay agents can be specified. The DHCP server discards any messages relayed by agents which are not in the list.
|
Figure 24:2
|
If you want to use the SonicWALL security appliance’s DHCP server, select Enable DHCP Server on the Network > DHCP Server page.
The following DHCP server options can be configured:
|
•
|
Select
Enable Conflict Detection
to turn on automatic DHCP scope conflict detection on each zone.
|
Compatible with Conflict Detection – Currently, the SonicWALL DHCP server performs server-side conflict detection when this feature is enabled. The advantage of server-side conflict detection is that it detects conflicts even when the DHCP client does not run client-side conflict detection. However, if there are a lot of DHCP clients on the network, server-side conflict detection can result in longer waits for a full IP address allocation to complete.
|
•
|
Select
Enable DHCP Server Network Pre-Discovery
to have the DHCP server scan for other DHCP server networks. The following options can be modified to customize the performance of DHCP server network pre-discovery:
|
|
–
|
DHCP Server Conflict Detect Period
: Sets how often the DHCP server scans for other networks. The default is 300 seconds.
|
|
–
|
Number of DHCP resources to discover
: Sets the number of DHCP networks that are scanned for. The default is 10.
|
|
–
|
Timeout for conflicted resource to be rechecked
: Sets the duration of time after which conflicted resources are re-checked. The default is 1800 seconds.
|
|
–
|
Timeout for available resource to be rechecked
: Sets the duration of time after which avialable resources are re-checked. The default is 600 seconds.
|
|
Note
|
Conflict detection and network pre-discovery are not performed for an IP address which
belongs to a “relayed” subnet scope. The DHCP server only performs a conflict detection ICMP check for a subnet range attached to its interface.
|
To configure Option Objects, Option Groups, and Trusted Agents, click the Advanced button. For detailed information on configuring these features, see “Configuring Advanced DHCP Server Options” .
DHCP server persistence is the ability of the firewall save DHCP lease information and to provide the client with a predictable IP address that does not conflict with another use on the network, even after a client reboot.
DHCP server persistence works by storing DHCP lease information periodically to flash memory. This ensures that users have predicable IP addresses and minimizes the risk of IP addressing conflicts after a reboot.
DHCP server persistence provides a seamless experience when a user reboots a workstation. The DHCP lease information is saved, and the user retains the same workstation IP address. When a firewall is restarted, usually due to maintenance or an upgrade, DHCP server persistence provides the following benefits:
|
•
|
IP address uniqueness: Lease information is stored in flash memory, so the risk of
assigning the same IP address to multiple users is nullified.
|
|
•
|
Ease of use: By saving the lease information in the flash memory, the user’s connections
are automatically restored.
|
To configure DHCP Server Persistance, select the Enable DHCP Server Persistence checkbox. Optionally, you can modify how often the DHCP server stores DHCP lease information by modifying the DHCP Server Persistence Monitoring Interval field. The default is 5 minutes.
The DHCP Server Lease Scopes table displays the currently configured DHCP IP ranges. The table shows:
|
•
|
Type
: Dynamic or Static.
|
|
•
|
Lease Scope
: The IP address range, for example 172.16.31.2 - 172.16.31.254.
|
|
•
|
Interface
: The Interface the range is assigned to.
|
|
•
|
Details
: Detailed information about the lease, displayed as a tool tip when you hover the mouse pointer over the Details
 icon.Enable
: Check the box in the Enable column to enable the DHCP range. Uncheck it to disable the range. |
|
•
|
Configure
: Click the configure icon
 to configure the DHCP range. |
The current DHCP lease information is displayed in the Current DHCP Leases table. Each binding entry displays the IP Address , the Ethernet Address , and the Type of binding (Dynamic, Dynamic BOOTP, or Static BOOTP).
To delete a binding, which frees the IP address on the DHCP server, click the Delete icon 
next to the entry. For example, use the Delete icon to remove a host when it has been removed from the network, and you need to reuse its IP address.