Answer the question
In order to leave comments, you need to log in
How to properly deploy network infrastructure with dhcp? Using separate hardware or all on the same server?
Hi all! Enlighten, please, how it is correct to unroll network infrastructure in the organization from the point of view of the system administrator?
To make it clear what I'm talking about, I will list several options, point to the most technically correct one or describe your own.
1. All through one server, in which a network card with two inputs: Internet access, proxy, AD, Exchange, distribution of ip from dhcp - all on one machine, there may be a replica.
2. There is a switch, the provider's cable comes to it. The same switch includes hosts on the same floor, switches on other floors + a server with AD, Exchange and more.
3. A provider cable comes to a separate network hardware (for example, from cisco or mikrotik), it also distributes addresses using its own dhcp. In the same network, a server with a windows server, but it only has AD, Exchange, and, if necessary, other roles.
Answer the question
In order to leave comments, you need to log in
Option 1 is used by the very brave, the very... unintelligent, or the Microsoft fans who believe unshakably in the power of the MS firewall. If this is about you - your choice.
Option 2 is used by those who like to constantly treat users' computers from miners and complain that mail is blocked for spam. Well, or someone who has absolutely nothing to hide :) If this is about you - your choice.
Option 3 is already more like a typical construction scheme.
DHCP should not be on the router. The router should do what it is intended for - routing. Well, another firewall and VPN, if necessary. DHCP refers to the basic roles of the internal network and IMHO you need to keep it on the AD server - the load is cheap, but if you fill out the snap-in data in time, you can use it as an IP distribution table - not the entire segment you have dynamics, servers usually have static addresses.
Eksch is strongly recommended to separate from AD. Proxies, if any, also separate. With current virtualization technologies, this is much easier to do. File-washing - also separate.
Tasks are very different.
Let's say you need to make a VPN on a router or gateway.
If you have 1-2 users, then Mikrotik will pull this business easily.
If you have 50 users - you need a real computer for this.
I would separate the roles.
DHCP is quite a small load.
Why push it to the server?
Let it be on the router.
DHCP needs to be pushed to the server if there is some good reason.
Let's say I have it on the server, since I need integration with DHCP + BOOTP (or PXE - I don't remember already, I set it up 100 years ago)
And for servers, I wish you to study virtualization technology. ESX, Xen, KVM.
Allows great to simplify the revival of the server in which case.
It is quite possible to distribute DHCP directly from the router from the outside world that gives the connection.
They are now pretty perfect in this regard.
But on the other hand, if you go to limit someone, cut them off from the Internet,
then perhaps this option will not suit you.
As already noted, everything is very individual and depends on the available resources, tasks, plans for the future and other things.
If we assume a small office, severely limited in money and other resources, then I would do something like this:
(1) Внешний роутер -> (2) Управляемый коммутатор -> (3) Компьютеры
|
(4) Сервер AD + DHCP + ...
IMHO, no matter what the cool experts say, but first of all, everything depends on resources: money for hardware and licenses, a place to place all the equipment. If there is available or the ability to purchase only one server + one license for the OS, then naturally everything will have to be installed on one, if there are resources, then there are many options.
DHCP service is undemanding, especially for small networks. The Windows one next to AD/DNS has never let me down, but it has never let down DHCP based on pfSense or home routers (Zyxell/Asus).
If the mail server is located on the local network, then I would advise allocating a separate machine (at least a virtual one) and a separate IP address for it, so that an infected client computer or an employee’s personal smartphone on the local network does not substitute the address for antispam filters. An additional address for many providers costs a penny.
In order to save money, the file server can be screwed on the controller, but an unpleasant situation may arise with running out of free space, backups, or malware from the user folder. If possible: on a virtual machine or on a separate piece of iron.
My option: the provider comes to a weak server on which Linux lives quietly (it certainly won’t hurt to master it), normally configured iptables and fail2ban, which will give an idea of the operation of the router, dhcp + dns + vpn in the same place, you can also raise some proxy thread. Squid is quite functional. A couple of uplinks for the internal network go from it to the switch. Now AD is already quite good friends with Linux, so authorization in the same squid is not a problem. Well, it’s also easy to set up plshki like vlans, which again will give practical experience. By the way, in Mikrotik the same embedded-linux, not even very embedded. Ready-made builds like pfsense are a strange solution, because in order for it to work properly, you constantly need to patch, installing a new package, as a rule, will cause the need to update, again patches, perverted necrophilia in general. The web interface is eye-catching. Well, for a small organization, exchange is an overhead. IMHO.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question