- Dell adds to PowerEdge server lineup
- Cerebras claims record in molecular dynamics simulations, says it’s 748x faster than Frontier supercomputer
- The Overlooked Danger Within: Managing Insider Threats
- ICO Urges More Data Sharing to Tackle Fraud Epidemic
- Looking to lead technology teams in 2025? Follow this CDO's advice
DHCP: How to work with user classes on Windows
Whether in an existing network or a new one, there is an aspect of design that cannot be skipped: deciding if handing out IP addresses will be dynamic (automatic) or manual (one-by-one) or—the most common—a combination of the two.
By choosing to distribute them dynamically you are choosing to use a dynamic host configuration protocol (DHCP) service somewhere on your network, and there can be some tricks to that regardless of what server you use. For this discussion, I will describe how to use user classes on a Windows DCHP Server to specify a range of IP addresses and to assign range-specific DHCP options.
For background, DHCP is a protocol between server and client with the server automatically providing IP addresses to clients as they join a network rather than the addresses being manually assigned per device.
The DHCP role in a network can be performed by different types of hardware (security appliances, L3 switches, DHCP servers), but it doesn’t have to be just one of them; it can be whatever works best for what you are trying to do. A common DHCP setup I use is running the service on a security appliance to host ranges of IP addresses grouped as a subnet for dynamic distribution—scopes—that only need access to the internet, such as guest or IoT networks. Then I run a separate DHCP server to handle devices and scopes within the domain that accesses internal resources.
There are many reasons to choose DHCP over static assignment, the biggest being ease of use. In most enterprises there will be at least one DHCP server on the network serving IP addresses from at least one scope to be given out to devices as they connect to the network. Scopes are configurable and can range from two IP addresses to thousands.
Microsoft’s DHCP server handles as many scopes as you need and has a pretty simple GUI for setup and management. It also supports subsets of scopes, called classes, to help organize addresses by users and devices in a logical way. User classes and vendor classes allow you to assign DHCP options to groups of clients by specifying policies that will apply to some users or devices but not all of them within the same scope. Classes within scopes can be useful if you want to separate a group of devices to one segment of a scope while still maintaining dynamic hosting. For example, I recently used user classes to assign addresses from a particular scope to SD-WAN users working remotely. Because the network between the DHCP server and the proxy server that set up VPN links to clients was virtual, I used user classes to distinguish the SD-WAN clients from native clients.
DHCP user classes and vendor classes alike are identifiers that use a minimum of 1 octet within the IP-address request sent from the DHCP client to the DHCP server. Their purpose is to define policy criteria such as tags that denote class, specific vendor information, or to specify DHCP servers. By using user or vender classes with DHCP policies you can specify types of devices and organize what range they receive IP addresses from within a given scope. There are several ways to use DHCP policies but I will show how to use user classes on a Windows DCHP Server to specify a range and to assign range-specific DHCP options on that class.
How to implement user classes
To implement user classes you first need to connect to the DHCP server that is in your domain. As long as your DHCP server is a Windows server 2012 or newer, the following steps will apply.
First open the DHCP Microsoft Management Console (MMC) snap-in and connect to the server. Once you have it open, right click on the IPv4 icon to access the drop-down menu and click on Define User Classes:
On the “DHCP User Classes” dialog box you will see the existing user classes by name and description. To add a new one simply click on “Add…”.
In the “New Class” dialog box you will need to add the display name, description, and ASCII name of the class. The display name and description are really only for your own organization, but having them describe what you are trying to use the class for may help make it easier to identify them later.
The ASCII field is the important area that will act as the actual “tag” for the packets coming to the DHCP server. For this field do not use spaces between the words and be sure to be mindful of case, as it is case sensitive. I have had mixed success with special characters. Some, such as hyphens or underscores, work and others, like pound signs, don’t. I haven’t seen restrictions on use of characters in the Microsoft documentation, so keep that in mind. Be sure to take note of what you put there for later and click “OK” when you are done. The “Binary” field to the left of the ASCII field will auto fill as you fill in the ASCII name.
Once your new user class is added, click “Close” to exit this dialog box.
Back at the main DHCP MMC snap-in, expand the scope you will be applying this user class to, right-click on the “Policies” folder, and select “New Policy…” from the drop-down menu.
In the “Policy Name” field enter a name that will make sense to you and your team when you look back on this later. Fill in the “Description” field with what you are aiming to use this policy for. Click “Next”.
On the “DHCP Policy Configuration Wizard” click “Add” to add a condition for the policy.
In the “Add/Edit Condition” dialog box, use the drop-down menu to change the “Criteria:” field from Vendor Class to User Class.
Change the “Value:” field to the new user class you just created.
Click the “Add” button when all of your selections are correct.
Then press “OK” to close the dialog box and returning to the configuration wizard, click “Next” to continue.
On the following screen you are presented with a choice. You can use the default range for that scope or you can specify a range for those devices. In the example below, I select “Yes” for a specific range of IP addresses and specified the ranges below that. Once you specify the ranges, the wizard will display what percentage of the available scope you are setting aside for this policy. In the example below it is 15%. Click “Next” when finished with these options.
On the next screen of the wizard you can configure unique settings for the policy by selecting the “Vendor class” drop down item such as “DHCP Standard Options”, “Microsoft Options”, etc.
Then further select from the “Available Options” checkboxes below it. Click “Next” when you have made all of your selections.
The next page of the wizard presents a summary of the selections you have chosen. If they are correct click “Finish” to close the dialog box.
On a Windows server the user class has to be applied to the network interface for it to be recognized. To apply it, open a command prompt as administrator. Type in “ipconfig” to confirm that it is not in the right range or doesn’t have the right options set.
To set the user class type in “ipconfig /setclassid ethernet “testuserclass””, but replacing testuserclass with the name of the user class you created.
If you were successful, once you reboot and run ipconfig again in an administrator console you will see that the policies have been applied. In my case an IP address has been assigned from the policy-defined range.
Copyright © 2021 IDG Communications, Inc.