I am designing a network with
2 x MX450(Warmspare)
2 x MS425 (Stack)
some MS250 and APs
The question is where I should run DHCP, I have three options
1. Create all VLAN interfaces in MX and run DHCP on MX and leave MS425 as the L2 switch.
2. Enable L3 and create VLAN interface in MS425 and run DHCP in MS425.
3. Enable L3 and create VLAN interfaces in MS425 but relay DHCP to MX.
Any idea which option is the best and why?
We tend to use DHCP from switches as we find it the easiest to administer. The Meraki MSs are pretty good for DHCP so I would definitely use them in your scenario.
Will there be much inter-vlan traffic? If the traffic between VLANs is low volume then go with this option:
"Create all VLAN interfaces in MX and run DHCP on MX and leave MS425 as the L2 switch. "
If you are expecting high volume flows between VLANs (such as 10Gbe traffic flows), go with this option:
"Enable L3 and create VLAN interface in MS425"
Whether you run DHCP on the MS or MX for this case is more a matter of where you would like to manage it.
I guess for the case where you are using the MS425 for layer 3 routing, if you put the DHCP on the switches and the MX had a failure, the internal networking could continue to work, and clients would continue to get an IP address.
There are no real differences in features between the MS running DHCP or the MX running DHCP.
So if you choose a L3 switching design it makes no real sense to relay traffic from the MS to the MX but you could relay to a dedicated DHCP server with all special features.
Reasons to run L2 everywhere:
- Most traffic volume is north - south
- You will never grow outside 1 distribution block on that location
- You need deep packet inspection and stateful flows between VLAN's.
Reasons to run L3 at the core/distribution
- You have moderate east west traffic
- You could have multiple distribution blocks and you typically run L3 between distribution blocks (your MX HA pair needs to be entirely inside 1 distribution block)
- You don't need deep packet inspection
Reasons to run L3 core/distribution with catalyst switches there and MS switches at the access layer
- Same as above but you do need some VLAN groups having separation between each other and only allow traffic through a firewall (separate VRF's).
I would recomment to the create the vlans on the ms425 and use dedicated servers, in failover, for dhcp handling. And make sure the ms425 are stacked to make sure you dont have any direct downtime if something happens to one of the switches.
I would definitely avoid running DHCP on your MX. We are doing this right now, but it is causing us issues and we are developing a project to move the service away from the MX and onto another device. We have an existing DHCP server for our corporate LAN so we're considering using this to run DHCP for the other VLANs.
@PhilipDAth It's not a matter of stability, but a firewall has to be a firewall and not perform other functions. This takes firewall processing among other things.
For small sites it's ok, but for a big company this is not an option.
@alemabrahao how would you define small sites? We have an enterprise edge firewall serving a /16 subnet without problems. We generally oversize firewalls because nobody ever asks for a slower line...!
Sites with maximum 50 users, but ok, it's my opinion because I have planned a lot of large networks, so I prefer to use a dedicated DHCP server. I mean, It's more "professional" in my opinion.
Personally I find network devices more reliable than servers, but if you have seen issues then it is better to play safe.
We have many MXs and other firewalls serving hundreds or even thousands of concurrent DHCP users. We also use L3 switche stacks as DHCP servers, with the aim of having the most available most local device servicing the DHCP requests.
I've had a customer recently get me to convert them from using their DHCP servers in their DC to do DHCP on all their branch MXes.
The reason? They had an outage a while ago, and after some time, it took every site offline because of a lack of IP addressing. They realised that something as essential as DHCP should be done as close to the users as possible. If they have a further issue, at least all of the users will be able to connect to the Internet and continue to use their cloud apps.
For a big company, it is an option IMHO, and should be considered for DR purposes.
The MX will handle the DHCP just fine if you appropriately size them. I find that Meraki is very conservative with their stated throughput and capacities.