We have six new Cisco SG-300 switches of varying port capacity. Here's how they're connected to each other:
We have outgrown our flat network and are looking to VLAN to improve performance, security and capacity.
I would like to create 3 VLANS, 1 of which will be "in scope" and subject to increased security and stricter access rules. Users within the other 2 VLANS should not be able to access resources within VLAN1.
Currently, we have Spanning Tree enabled with SW1 as the root bridge.
Subordinate bridge IDs have been assigned to the other 5 switches.
SW1 is in Layer 3 mode, all the other switches are in Layer 2 mode.
Currently, SW1 is configured to use the network gateway for external access.
All other switches use SW as their gateway.
Question 1: Is it proper to only have 1 switch (SW1) in layer 3 mode?
Question 2: What is the desired VLAN approach for the environment as described?
Question 3: with a single DHCP server available, how will this traffic traverse the 3 VLANS?
Your VLAN approach is fine, each VLAN's default gateway would be a Switched Virtual Interface on the core switches (if you are doing VRRP, both core switches will have their own unique IPs and sharing a virtual IP via VRRP - each VLAN uses the VRRP IP as their default gateway).
DHCP with a single server works by using DHCP relay. This is found under "IP Configuration" then "DHCP" then "Properties". Simply select to enable the DHCP relay and at the bottom put your DHCP server in the table. You then just setup your different scopes for the VLANs on your DHCP server.