1

I am really stumped on a new infrastructure design. Let me explain our scenario. I have been tasked with the complete rebuild of our network infrastructure.

The requirements are isolation of our production, dev/it, utility/test, iSCSI, and just office users traffic. The problem I am stumped on is dynamic DHCP.

Let me explain this.

I am located in the exact same office as our normal users, along with our dev team. I do not want to allow normal users access to our production machines via a LAN IP address except for domain controllers and our exchange server. I need however to allow access to IT/ Dev. Each VLAN will have a separate subnet and all of our switches are L3. My core switch will be a Juniper EX4200 stack and our switch at HQ will be a Juniper EX2200 POE.

I am pretty sure this can be accomplished a few ways but, management seems like it could become a beast. Some Ideas I have thought of:

1) Have multiple DHCP server scopes and restrict per mac address by statically entering MAC address.

2) Statically set IP address for DEV/IT

3) Possibly have the switch hand out DHCP

None of the above seem like good options however. It seems like am missing something very simple but, I just do not know what.

Izzy
  • 8,214
  • 2
  • 30
  • 35
BrandonB
  • 161
  • 1
  • 10

1 Answers1

4

I'm not a networks guy, but the term you're looking for is IP Helper. For Juniper, they call it DHCP Relay I believe. This document explains how to configure the EX series switches to use DHCP relay.

The basic design and flow works as so: Segregate your network up into multiple vlans.

  • Vlan 1 can be your prod servers (say 10.1.0.0)
  • Vlan 2 can be your dev servers (say 10.2.0.0)
  • Vlan 3 can be your business (user) network (say 10.3.0.0)
  • Vlan 9 can be your internal DMZ (say 10.9.0.0)

Put the DHCP server in vlan 9

On the switches, put an IP Helper (for DHCP) for each vlan to the IP address of the DHCP server in vlan 9.

On the DHCP server, you add each scope that will be contacting the DHCP server (10.1., 10.2., 10.3., 10.9. etc).

Machines in each vlan will send a DHCP discovery packet out when they need an IP address. The switch will pick that up, and forward it out of the subnet (DHCP only broadcasts to its own subnet) to the IP you specificed for the DHCP server. The DHCP server detects which subnet the machine was in, picks the right scope, and offers the machine an available IP in its respective subnet.

Of course, servers and other infrastructure items should always have a static IP address (not even just a reserved DHCP address)

Community
  • 1
Izzy
  • 8,214
  • 2
  • 30
  • 35
  • 2
    Oddly enough, I am a network guy... and your answers are pretty correct for a non-network-guy. "ip-helper" is more of a cisco-phrase... most others call them a "dhcp-relay" which is more accurate. I would highly discourage you from putting your production servers on vlan1, as most devices on a network not-configured to use a vlan default to vlan 1. This might pose a security risk in the future. In my own network, I use vlan 1 as the "public" network (which connects to public access points & such) You typically only need the DHCP-relay service on any device routing between VLANs. – TheCompWiz Apr 15 '11 at 18:35
  • 1
    Awesome stuff izzy, For a non-network guy. with the one exception The CompWiz stated your answers are right on the mark. ;) – Tom Apr 15 '11 at 19:10
  • Thank you for the response am semi familiar with helper and relay but, how do the PC's know what VLAN they are supposed to be a member of ? For example we hire a new DEV he should be on VLAN 2 he comes in fires up his new PC, how does that PC know what VLAN to hop on when our office is a 10.10.0.0/23. It really is the initial VLAN assignment that has me baffled. – BrandonB Apr 15 '11 at 19:47
  • Ok I think I got it, am just going to have to assign VLAN via port based and trace the patch panel to each use. Thats a job and a half the telco closet is a rats nest. :( – BrandonB Apr 15 '11 at 20:56
  • @BrandonB the PC doesn't know. The switch port the PC is plugged into gets an assignment before hand to which VLAN it's on. If switch port 1 was VLAN 2 and switch port 2 was set to VLAN 3, then you could plug the PC back an forth between the switch ports and it would receive different DHCP responses if your "backend" dhcp-relay and DHCP server scopes are setup correctly. – Bret Fisher Apr 15 '11 at 21:22
  • @TheCompWiz: Very true - It was only an example :) The way I'd actually advise the design for the network would be to use the second quad for physical site delineation (London, New York, Toronto), and the 3rd quad for environment (DMZ, QA, Dev, Prod, Corp WIFI, Guest WIFI, PCs, ESX, heartbeat, VOIP phones etc). 10.1 would probably never fit into the design because I'd suggest that the first site would be 10.10, the next 10.20 etc. – Izzy Apr 15 '11 at 22:41
  • @BrandonB Exactly as you discovered (and Bret followed up with) - you assign a port on the switch to a VLAN - what ever's plugged into it is on that VLAN – Izzy Apr 15 '11 at 22:43