I am really stumped on a new infrastructure design. Let me explain our scenario. I have been tasked with the complete rebuild of our network infrastructure.
The requirements are isolation of our production, dev/it, utility/test, iSCSI, and just office users traffic. The problem I am stumped on is dynamic DHCP.
Let me explain this.
I am located in the exact same office as our normal users, along with our dev team. I do not want to allow normal users access to our production machines via a LAN IP address except for domain controllers and our exchange server. I need however to allow access to IT/ Dev. Each VLAN will have a separate subnet and all of our switches are L3. My core switch will be a Juniper EX4200 stack and our switch at HQ will be a Juniper EX2200 POE.
I am pretty sure this can be accomplished a few ways but, management seems like it could become a beast. Some Ideas I have thought of:
1) Have multiple DHCP server scopes and restrict per mac address by statically entering MAC address.
2) Statically set IP address for DEV/IT
3) Possibly have the switch hand out DHCP
None of the above seem like good options however. It seems like am missing something very simple but, I just do not know what.
I'm not a networks guy, but the term you're looking for is IP Helper. For Juniper, they call it DHCP Relay I believe. This document explains how to configure the EX series switches to use DHCP relay.
The basic design and flow works as so: Segregate your network up into multiple vlans.
Put the DHCP server in vlan 9
On the switches, put an IP Helper (for DHCP) for each vlan to the IP address of the DHCP server in vlan 9.
On the DHCP server, you add each scope that will be contacting the DHCP server (10.1., 10.2., 10.3., 10.9. etc).
Machines in each vlan will send a DHCP discovery packet out when they need an IP address. The switch will pick that up, and forward it out of the subnet (DHCP only broadcasts to its own subnet) to the IP you specificed for the DHCP server. The DHCP server detects which subnet the machine was in, picks the right scope, and offers the machine an available IP in its respective subnet.
Of course, servers and other infrastructure items should always have a static IP address (not even just a reserved DHCP address)