Decent DNS, DHCP and HTTP server on an ISR router

Readers of my blog have probably noticed that I’m occasionally documenting the shortcomings of DNS and DHCP servers built into Cisco IOS (I will not even mention the HTTP server, this one gets constantly degraded). On the other hand, although you could centralize all these services, the centralization makes the branch offices completely dependent on the availability of WAN uplinks; without a working uplink, a branch office stops completely.

When Cisco introduced AXP (Linux blade for the ISR routers), my first idea was: “now, that’s a platform on which you could implement proper DNS and HTTP server”. Not surprisingly, I was not the only one with the “brilliant” idea: Infoblox has partnered with Cisco to offer the set of IP servers one might need in a branch office on the AXP.

The only problem bugging AXP is its price: the low-end model costs $3500 (list price, without the Infoblox software). Cisco and Infoblox have flashy whitepapers “documenting” huge TCO savings, but both of them failed to share with us the input parameters, assumptions and calculations. All that’s left is a small graph showing the desired results. I’m not saying AXP is not more cost-effective than the alternative; I’m just not easily persuaded by nice-looking colorful horizontal bands. What’s your perspective? Would you replace branch servers with AXP?

Recent posts in the same categories

8 comments:

  1. Anonymous 30 January 2009 10:22
    Hi Ivan,

    Looks like the linksys WRT54G tons of software hacks "do whatever you want" evolution.
    Pretty interesting and nice idea to dig into softwares and rely on partners when Cisco cannot run a BU for a specific niche needed by customers which is missing from the portfolio (the first thing I think is vulnerability assessment and security audit as qualys products but i'm sure you think about other usage based on your experience).
    Anyway, like any other cisco products, the 3k$ step is still there. Looks like it can't be bypassed :)

    Globally, I think AXP very positive and more and more collaborative. The effective human network is approaching!
  2. Unknown 31 January 2009 01:04
    I would consider AXP as a viable option if opening new branch office. Many factors would come into play when making the decision. For example, if we were going to purchase new server hardware (one for each application), then $3500 for the AXP module alone may yield a significant cost savings out of the box.

    However, I would consider virtuilization as a strong competitor for APX. I believe Microsoft offers some advantageous licensing terms for server 2008 and Hyper-V that would allow all of the applications to run on a single physical server, again keeping costs down.

    I like the direction Cisco has taken with the AXP module. HP Procurve has released a similar product with their Procurve ONE module. The module allows other applications to run on the switch. The first applications offered is a BSD based firewall from Vantronix. I can see the ONE applications growing quickly to include other services.
  3. Anonymous 31 January 2009 16:31
    Interesting to notice the management of IP phones would be easier thanks to AXP, to me, that's definitely the target for this module.

    With regards to dns/http, why would you need to get this per branch if there are already a few at the HQ? For DHCP server, there might be some interest to make config a bit more granular.
    Based on the price, and in context of DNS/HTTP server, you can either go for ESXi and virtualize for non-critical/internal DNS/HTTP server or just embedded hardware running linux for a lot cheaper than 3k$. Also good to notice, I have not seen anything about resilience of such a solution...
  4. Anonymous 02 February 2009 17:24
    We use BT/INS IPControl for DNS/DHCP/IPAM and have these servers deployed in our data centers and large offices (large == > 500 people).. all other branches have their DNS/DHCP requests served over a WAN connection. This model works acceptably well for us. Windows workstations cache DNS requests, so even if there is a bit of latency to resolve the first request, the next ones by the same client are fast.. the DNS servers the workstations in the branches hit are caching resolvers, so there is a good chance that the DNS lookup is cached within the enterprise for these...
  5. Anonymous 02 February 2009 17:28
    At that price point, a Mac Mini with a reverse console from the AUX port on your router is much better value. If Cisco is planning on selling servers, they will need to learn how to be competitive.
  6. Borg 16 January 2017 09:53
    Hello Ivan. Is it viable to keep the authoritative DNS on a CISCO IOS 2900 series router ?
    I want to get rid of an old dying Auth DNS that I keep on an ancient server and I was thinking of moving it on the router.
  7. Borg 16 January 2017 09:53
    Hello Ivan. Is it viable to keep the authoritative DNS on a CISCO IOS 2900 series router ?
    I want to get rid of an old dying Auth DNS that I keep on an ancient server and I was thinking of moving it on the router.
    Replies
    1. Ivan Pepelnjak 16 January 2017 10:30
      I'm running DNS on my home router, and it's (somewhat) authoritative for the internal hosts. Would I run public-facing DNS on it? Absolutely not.
Add comment
Home
Sidebar