Option 50 in failover mode

Bob Proulx bob at proulx.com
Mon Nov 28 19:11:16 UTC 2011 

Glenn Satchell wrote:
> I think there are two different ideas of "hands off" failover. It's true
> that the failover protocol has been around for a long time, and I recall
> running it myself in the early 2000s. But while that protocol
> automatically handled failure of one system it was not entirely hands off.
> The surviving dhcp server would only allocate new IPs from it's share of
> the pool. If the pool didn't have enough spare IPs to handle all the
> clients then eventually it would run out of addresses to allocate.

Hence why I said that the pool needed to be large enough.  The
original question was asking about a failover configuration and the
ability of a dhcp client to keep the same address through the failure
of a server.  In regards to that original question the client can keep
the same address if the pool configured on each failover server is
large enough to handle the entire network itself.

If the pool is large enough then it won't run out of addresses to
allocate and everything will work correctly without interaction.  If a
server runs out of addresses because the pool is too small then I
claim that is configured to be load balancing only and not configured
for high availability.

If the server runs out of addresses because the pool is too small then
in regards to the original question a dhcp client will not be allowed
to keep the same address.  But that is just a server address pool
misconfiguration.  To solve it simply make the pool large enough.  As
I said in my original response.

With 17 million plus RFC1918 addresses available for sites to allocate
locally it is hard to believe that any single site wouldn't be able to
configure a large enough pool of addresses to be able to use it in a
high availability configuration.  But I am sure their are reasons.

> Back in those days it was a design feature that the surviving server
> had to be manually put into "partner down" mode. In partner down
> mode the surviving server could allocate IP addresses from the
> entire pool and thus run without running out of addresses.

Sorry but I believe it only "had to be" if it were misconfigured with
a pool that was too small and then you were left scrambling trying to
make do with less pool space than needed.  As far as I can determine
this was never a requirement and certainly hasn't been in the last
five years or so.  It was only that people were trying to squeeze ten
pounds of potatoes into a five pound bag by using too small of an
address pool.

What happens is that people set up two servers in a load balancing
configuration.  Everything is working because the pool is split
between two machines.  Perhaps 75% of the addresses are used at any
one time.  That sounds good right?  Actually no.  It is load balanced
but it isn't redundancy.  At 75% that is actually overbooked for
redundancy.

Then one machine goes down.  That leaves 50% of the pool okay and 25%
of the pool overbooked!  There aren't enough addresses.  New clients
will fail to get an address.  Admins then start scrambling while
muttering, but it was working a moment ago, and then using the measure
of partner-down so as action to reclaim the other half of the pool and
getting things back running again.  It is a mad, crazy time with a lot
of swearing.  Sure using partner-down saved the day but if they had
simply ensured a large enough pool in the first place then going into
partner-down mode would not have been required.

> In one of the recent versions was a feature for automatic partner down
> after a defined period of time. In this case the surviving server switches
> to partner down and can run without running out of addresses. This is what
> others have termed "hands off".

Then I am using the hands-off term in an incorrect way.  Thank you for
educating me that I was confusing things by using the words hands off
to the opposite meaning of previous usage.  I didn't realize that
hands off had connotations of using partner-down.

For me hands off meant NOT having to use partner-down.  I never intend
to use partner-down since I intend always to have enough address space
in both pools that it is not needed.  A pair of failover servers with
enough address space can run forever on only one machine with the
other failed.  I can calmly repair and restore the offline machine or
network router before a second failure occurs taking out the single
remaining server.  Redundancy is a good thing.

Bob

More information about the dhcp-users mailing list