#71 DHCP Failover and Security

Our DHCP failover system is up and running. It's pretty cool seeing this in action. We talk about what we did and how we got it to work. We also talk about how this applies to security. Using the CIA triad and a risk assessment, you quickly realize that DHCP availability is important. While you may not need DHCP failover, it is something to think about. Our ISC DHCP Failover Configuration.

dhcpd.conf - Primary

authoritative;
ddns-update-style none;
option domain-name "section9.lan"; option broadcast-address 10.100.5.255;
default-lease-time 600; max-lease-time 7200;
log-facility local7;
failover peer "dhcp-failover" { primary; address 10.100.5.7; port 519; peer address 10.100.5.8; peer port 520; max-response-delay 60; max-unacked-updates 10; load balance max seconds 3; mclt 3600; split 128; }
subnet 10.100.5.0 netmask 255.255.255.0 { option domain-name-servers 10.100.6.2; option routers 10.100.5.1; pool { failover peer "dhcp-failover"; range 10.100.5.100 10.100.5.200;
} }
omapi-port 7911; omapi-key omapi_key;
key omapi_key { algorithm hmac-md5; secret 9WDRJ8EvOkFeOF91UmxIbPd8AAXcIg==; }

dhcpd.conf - Secondary

authoritative;
ddns-update-style none;
option domain-name "section9.lan"; option broadcast-address 10.100.5.255;
default-lease-time 600; max-lease-time 7200;
log-facility local7;
failover peer "dhcp-failover" { secondary; address 10.100.5.8; port 520; peer address 10.100.5.7; peer port 519; max-response-delay 60; max-unacked-updates 10; load balance max seconds 3;
}
subnet 10.100.5.0 netmask 255.255.255.0 { option domain-name-servers 10.100.6.2; option routers 10.100.5.1; pool { failover peer "dhcp-failover"; range 10.100.5.100 10.100.5.200;
} }
omapi-port 7911; omapi-key omapi_key;
key omapi_key { algorithm hmac-md5; secret 9WDRJ8EvOkFeOF91UmxIbPd8AAXcIg==; }

ListenDamien HullJuly 15, 2018