failover or vrrp

[Simon Hobson]

JVNC04 Yahoo wrote:
>Someone can tell me what will the best topology choise for DHCP server
>security:
>vrrp or failover ?

Neither, best is option 3 :

A careful network design and implementation making the choices 
(compromises) that fit YOUR network requirements !


More seriously, they are different technologies designed to solve 
different problems.

VRRP is a router failover protocol, designed to allow a router to 
fail and the backup to pick up the load. It will protect you (in a 
well designed network) from a single router failure - but it will NOT 
protect you from a DHCP server failure.

DHCP Failover will protect you from a server failure, but gives you 
no protection from a router (or link) failure.


For maximum protection you might choose to use both. Configure both 
routers as relay agents, forwarding to both dhcp servers. This will 
multiply the broadcast traffic up fourfold, but that is unlikely to 
be a problem* - each server will get two copies of each broadcast 
request.

One thing to be careful of is if one of your links is a dialup (I've 
used ISDN dial-on-demand very effectively as a backup link). Your 
backup router will pickup dhcp client broadcasts, and if you don't 
take care with the routing tables it may well squirt them down the 
backup link - bringing you a surprise on the next phone bill. I think 
I dealt with this by using dynamic routing (EIGRP as I was using 
Cisco kit), and setting the cost metric on the backup link such that 
traffic from the backup router would be passed via the primary 
router/link as long as the primary link and router were up.

Simon

* There was at one time a reported problem where a server (in 
failover config) got two duplicate requests close together (such as 
from two different relay agents). I can't remember what the effect 
was or whether it's been fixed.