I'm sketching out a new network topology and I'm unsure of how to solve the issue of DHCP between two VLANs.
- 10.50.2.0/23 will hold the majority of our users, corporate wifi, printers etc.
- 10.250.3.0/24 will hold a subset of users who need access to our AWS VPN tunnel
I'm planning to use a L3 switch to route between subnets, with ACLs to control which VLAN can access which and in which direction (i.e. 3/24 will be able to access 2/23 but not vice versa).
The issue is DHCP in the 10.50.3.0/24 network. I can either configure a DHCP relay via the switch, or I can give our Windows 2008 R2 DHCP server a NIC in that network.
Which (if either) is the "right" way?
You could also just let your switch be the DHCP server as well.
Multi-homing Windows is frequently a bad idea. Unless you do it perfectly right you can have weird DNS and routing issues.
You are better off using a relay agent.
I would definitely lean towards the relay agent. While it may not be a huge concern, giving the server a NIC into that network will open up more possible security vulnerabilities (or will require more effort to lock that server's firewall down a little more.
Another benefit of using the DHCP Relay is that if for some reason you need to switch your DHCP server, it is very simple to point the relay agent to a different IP rather than having to set up another server with another nic and locking that sever down as well.
Edit Just reminded myself of this, with the relay agent, you can also implement DHCP snooping if you are ever concerned about DHCP-related security attacks.
I too agree that configuring a DHCP relay agent is probably the right way to go about this. Multi-homing a Windows server is generally not a recommended configuration except in very specific use cases.