Link to home
Start Free TrialLog in
Avatar of Kevin D
Kevin DFlag for United States of America

asked on

Advice for configuration of VLANs and DHCP

I am wondering the best way to configure this scenario:

I have 2 VLANs - 10.106.4.0/24 and 10.100.134.0/24.

Both are configured on a Juniper EX2300 switch. That switch is connected to 2 firewalls (Cisco ASA 5506) with interfaces at 10.106.4.1 and 10.100.134.1 respectively.

VLANs are set up with addresses of 10.106.4.254 and 10.100.134.254

I have one Windows 2016 server providing DHCP addreses at 10.106.4.200

A couple of questions:

1. How can I set up the next hop for the switch VLANs so that traffic passes from 10.106.4.254 to 10.106.4.1 and from 10.100.134.254 to 10.100.134.1

2. Can the server at 10.106.4.200 provide DHCP scope for both VLANs? Will I need relays on the EX2300 for both VLANs or will the one for 10.106.4.0/24 subnet auto resolve and the one for 10.100.134.0/24 require a relay? How do I set this up on the Juniper?

Any help and suggestions would be great. The reason for the 2 firewalls is one is connected to a franchisee who refuses to allow any other traffic on their network (10.106.4.0/24) apart from workstations attached to their subnet. All other traffic (phone, surveillance systems, etc.) must use the other firewall and VLAN.
Avatar of Soulja
Soulja
Flag of United States of America image

Have you considered using the dhcp server feature on the ASA?
If you do go the Juniper Switch route. I am pretty positive you will need to configure layer 3 interfaces in order to dhcp relay the dhcp broadcasts towards the Windows server. The ASA will essentially need to just allow the dhcp traffic through. I would allow it bidirectional to insure it works. I don't think you will need to dhcp relay on the destination vlan.
Avatar of Kevin D

ASKER

Soulja: I have the VLANs routing using layer 3 already, using gateway addresses of 10.106.4.254 and 10.100.134.254 for each VLAN. However, now I cannot get internet access. I tried to add a static route for 10.100.134.0/24 to 10.100.134.1 but this still did not work. This is my first time using Juniper switches as I normally prefer Cisco.
Yes, the issue is that using two asa's as separate default gateways, you can only specify one as the default gateway to the internet. Not per VLAN. The only way around it would be to use policy based routing that would base the next hop off of the source network.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.