I'm currently using Ubiquiti access points with a Cisco 9x00 series switch for inter VLAN routing at my offices. We have different SSIDs for customers, internal users, and a few IoT devices, each on its own VLAN and subnet. Initially, I decided against setting up a separate DHCP server for guests and instead used our existing one by routing traffic through an ACL to facilitate IP management while blocking any unwanted traffic. This setup has been in place for over 13 years, and we've done thorough testing to ensure there's no interaction between the guest and internal networks.
Recently, the audit team suggested I create a separate DHCP server just for guests, even though they haven't found any vulnerabilities in the current configuration. I believe that with the existing ACLs, adding another DHCP server doesn't enhance our security and could complicate our operations, especially since our branch offices rely on getting DHCP from our HQ. Am I wrong to think this way? I'm looking for some opinions before I push back on their recommendation.
1 Answer
It’s generally a more cautious approach to have separate DHCP servers for guests and internal users. While your current setup might work fine, it opens up risks for potential misconfigurations that could lead to exposure of internal resources. I wouldn’t mix the two, even if it seems like extra work.
We usually set up guest DHCP directly from the local firewall instead of using our main server to keep things tidy. It’s more efficient and cuts down on complexity.