Where to run DHCP? MS425 as L3 ? MX450 as L3 ? or MS425 as L3 and relay to MX fro DHCP

SahadSalmiT
Getting noticed

Where to run DHCP? MS425 as L3 ? MX450 as L3 ? or MS425 as L3 and relay to MX fro DHCP

Hi Team, 

 

 

 I am designing a network with 

 

2 x MX450(Warmspare)

2 x MS425 (Stack)

some MS250 and APs

 

SahadSalmiT_0-1684496713063.png

 

 

The question is where I should run DHCP, I have three options 

 

1. Create all VLAN interfaces in MX and run DHCP on MX and leave MS425 as the L2 switch. 

2. Enable L3 and create VLAN interface in MS425 and run DHCP in MS425.

3. Enable L3 and create VLAN interfaces in MS425 but relay DHCP to MX.

 

 Any idea which option is the best and why?

14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal

The best option will always be to use a dedicated DHCP server, but in your case it all depends on the perspective.
 
I particularly think that a firewall should not perform other functions, so in your case I would configure DHCP on the core switch.

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Recommended_Topologies/MX_and_MS_B...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
cmr
Kind of a big deal
Kind of a big deal

We tend to use DHCP from switches as we find it the easiest to administer.  The Meraki MSs are pretty good for DHCP so I would definitely use them in your scenario.

PhilipDAth
Kind of a big deal
Kind of a big deal

Will there be much inter-vlan traffic?  If the traffic between VLANs is low volume then go with this option:

"Create all VLAN interfaces in MX and run DHCP on MX and leave MS425 as the L2 switch. "

 

If you are expecting high volume flows between VLANs (such as 10Gbe traffic flows), go with this option:

"Enable L3 and create VLAN interface in MS425"

Whether you run DHCP on the MS or MX for this case is more a matter of where you would like to manage it.

I guess for the case where you are using the MS425 for layer 3 routing, if you put the DHCP on the switches and the MX had a failure, the internal networking could continue to work, and clients would continue to get an IP address.

GIdenJoe
Kind of a big deal
Kind of a big deal

There are no real differences in features between the MS running DHCP or the MX running DHCP.

So if you choose a L3 switching design it makes no real sense to relay traffic from the MS to the MX but you could relay to a dedicated DHCP server with all special features.

 

Reasons to run L2 everywhere:
- Most traffic volume is north - south

- You will never grow outside 1 distribution block on that location

- You need deep packet inspection and stateful flows between VLAN's.

 

 

Reasons to run L3 at the core/distribution

- You have moderate east west traffic

- You could have multiple distribution blocks and you typically run L3 between distribution blocks (your MX HA pair needs to be entirely inside 1 distribution block)

- You don't need deep packet inspection

 

Reasons to run L3 core/distribution with catalyst switches there and MS switches at the access layer

- Same as above but you do need some VLAN groups having separation between each other and only allow traffic through a firewall (separate VRF's).

JohanPlukon
Getting noticed

I would recomment to the create the vlans on the ms425 and use dedicated servers, in failover, for dhcp handling. And make sure the ms425 are stacked to make sure you dont have any direct downtime if something happens to one of the switches. 

JonP
Getting noticed

I would definitely avoid running DHCP on your MX. We are doing this right now, but it is causing us issues and we are developing a project to move the service away from the MX and onto another device. We have an existing DHCP server for our corporate LAN so we're considering using this to run DHCP for the other VLANs.

PhilipDAth
Kind of a big deal
Kind of a big deal

>I would definitely avoid running DHCP on your MX.

 

I have maybe 500 sites doing this (using the MX for DHCP).  Zero issues.

@PhilipDAth It's not a matter of stability, but a firewall has to be a firewall and not perform other functions. This takes firewall processing among other things.

 

For small sites it's ok, but for a big company this is not an option.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
cmr
Kind of a big deal
Kind of a big deal

@alemabrahao how would you define small sites?  We have an enterprise edge firewall serving a /16 subnet without problems.  We generally oversize firewalls because nobody ever asks for a slower line...!

alemabrahao
Kind of a big deal
Kind of a big deal

Sites with maximum 50 users, but ok, it's my opinion because I have planned a lot of large networks, so I prefer to use a dedicated DHCP server. I mean, It's more "professional" in my opinion.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
cmr
Kind of a big deal
Kind of a big deal

Personally I find network devices more reliable than servers, but if you have seen issues then it is better to play safe. 

 

We have many MXs and other firewalls serving hundreds or even thousands of concurrent DHCP users.  We also use L3 switche stacks as DHCP servers, with the aim of having the most available most local device servicing the DHCP requests.

I've had a customer recently get me to convert them from using their DHCP servers in their DC to do DHCP on all their branch MXes.

 

The reason?  They had an outage a while ago, and after some time, it took every site offline because of a lack of IP addressing.  They realised that something as essential as DHCP should be done as close to the users as possible.  If they have a further issue, at least all of the users will be able to connect to the Internet and continue to use their cloud apps.

 

For a big company, it is an option IMHO, and should be considered for DR purposes.

The MX will handle the DHCP just fine if you appropriately size them. I find that Meraki is very conservative with their stated  throughput and capacities.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.