I'm trying to find advice about a plan I'm considering for guest Wi-Fi management. Currently, we have several sites with different network architectures. Most of these utilize a guest Wi-Fi VLAN, and to maintain DHCP consistency, we've centralized DHCP functions to our primary firewall. However, the firewall requires a separate interface for each DHCP pool, which has led us to create dozens of sub-interfaces. As we plan to expand, this is becoming unwieldy.
We have a DMZ with its own domain and Windows server licensing, so I'm thinking of setting up a Windows Server VM in the DMZ with MS DHCP Server. My idea is to consolidate all guest Wi-Fi DHCP pools to this server, then use ACLs to allow guest Wi-Fi clients to access it for IP addresses. The server would be joined to the domain with our usual security suite and patching practices. Does anyone see any potential issues with this approach?
4 Answers
Have you considered using Kea DHCP or setting up DHCP Relay on each VLAN? This could simplify things without adding extra layers. Just a thought!
Just a heads up, you'll need to think about licensing. If you're using Windows Server as a DHCP for guest networks, make sure you're compliant with CALs, or that could complicate things.
If your domain is already set up, why add another layer with a domain for guest DHCP? I think Meraki can handle DHCP for guest networks if you're not connecting company devices. It might streamline your setup.
The domain is already established. Plus, I can't use Meraki's built-in DHCP due to the way our firewall is set up, which only allows one DHCP pool per interface. That's why I’m leaning toward Windows DHCP.
Why centralize DHCP to the firewall anyway? If it's feasible, why not let the Wi-Fi access points handle DHCP? It might be simpler in the long run!
Each site has different setups, and I want to avoid confusion for the junior team members. We're standardizing on Meraki for Wi-Fi, but it doesn't offer DHCP out of the box. Plus, managing DHCP on multiple platforms could get messy.
Yeah, that might just be the dealbreaker for me.