Cisco SG300-28 (L3) DHCP Relay and DHCP Server running?
I've replaced an edge switch (Catalyst) with a SG300-28 switch and it's in Layer 3 mode.
We simply have (5) VLANs that the switch handles.
(4) of the VLANs are set for DHCP Relay to my MS DC. Those are working great.
but...
The last VLAN is our guest wifi network, and I was hoping to serve out DHCP with a generic DNS from the switch itself. The guest networks do not need to access the other vlans, it should be self sufficient with just getting it's address from the switch.
I'm receiving an error when I attempt to turn the DHCP server on for the switch because it has the relay setup on the other vlans.
Am I not able to configure relays on 4 of my vlans and then have the switch server addressing on the final vlan at the same time?
Thanks!
We simply have (5) VLANs that the switch handles.
(4) of the VLANs are set for DHCP Relay to my MS DC. Those are working great.
but...
The last VLAN is our guest wifi network, and I was hoping to serve out DHCP with a generic DNS from the switch itself. The guest networks do not need to access the other vlans, it should be self sufficient with just getting it's address from the switch.
I'm receiving an error when I attempt to turn the DHCP server on for the switch because it has the relay setup on the other vlans.
Am I not able to configure relays on 4 of my vlans and then have the switch server addressing on the final vlan at the same time?
Thanks!
ASKER
The trouble isn't at the ACL. But I agree that's a must for security.
My issue is I'm unable to enable the switch's DHCP server option if I have the DHCP Relay assigned on the (4) VLANs.
When I check the "enable" checkbox to engage the DHCP server there is a warning:
My issue is I'm unable to enable the switch's DHCP server option if I have the DHCP Relay assigned on the (4) VLANs.
When I check the "enable" checkbox to engage the DHCP server there is a warning:
"Cannot enable DHCP server when relay is enabled."
Yes, you can't enable DHCP server while DHCP proxy is in use.
You can either create DHCP pool for that network on DC since you can't enable DHCP server on switch, or disable DHCP relay, enable DHCP server on switch and on VLAN interfaces you can create ip helper-address to point to DC as DHCP server for those 4 VLANs, and then wireless VLAN clients can get IP address from (no ip helper-address on VLAN interface that will point to DC).
You can either create DHCP pool for that network on DC since you can't enable DHCP server on switch, or disable DHCP relay, enable DHCP server on switch and on VLAN interfaces you can create ip helper-address to point to DC as DHCP server for those 4 VLANs, and then wireless VLAN clients can get IP address from (no ip helper-address on VLAN interface that will point to DC).
Dont apply an ip address to the vlan. and let the firewall/router do this. also add in youre firewall/router acl's to block traffic from and to youre guest network. then youre secure
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Stated above
Let's say that your wirelles network is in vlan 26
access-list 100 deny ip any 10.0.0.0 0.255.255.255
access-list 100 deny ip any 172.16.0.0 0.15.255.255
access-list 100 deny ip any 192.168.0.0 0.0.255.255
access-list 100 deny ip any 224.0.0.0 15.255.255.255
access-list 100 permit ip any any
# interface vlan 26
# ip access-group 100 in
This will only forward traffic that has public address space as destination address, rest of traffic will be dropped on VLAN interface.