Cisco Support Community
Community Member

Configure multiple vlans on SG300 with DHCP via Relay Agent

This is simple setup I have one SG300(SG-1)switch and two SG200(SG-2  & SG-3)switches. I want create multiply  - vlans ( VLAN 1 management assign to GE1, VLAN2 production spanning across SG1 and SG2 switches & VLAN3 testing isolated to SG-3 ). There is LAG between SG-1 and  SG-2 and SG-1 and SG-3. VLAN 2 will host primary domain controller and local computers. Both DHCP and DNS are installed on DC-1 will provide addressing and resolution for entire test.local. Also ASA-5505 firewall is connected to VLAN-2 (internet connection) no DHCP. Secondary controller called DC-2 will be placed in VLAN 3.

I already configured each vlan's subnet in AD site & Services, created 2 DHCP scoops for each subnet. What I need is some help with configuring vlans, ip helper that points to dhcp, LAG's and whatever I forgot that makes this setup works.

Everyone's tags (1)

Hello Alex,I think I get the

Hello Alex,

I think I get the idea, let me see if I can come up with a solution.

First thing we need to figure out is where the routing is going to happen.  I know you said you wanted to isolate some of the VLANs, but since you only have 1 layer 3 switch and the ASA something is going to have to do the routing.  I know the ASA can be a bit of a pain routing internally so I would recommend doing that with your SG300.

The topology you attached makes sense, we just need to clarify a few things.  This all assumes the SG300 is going to be doing the inter-VLAN routing, only using the ASA for anything not directly connected.

Your SG300 will be in layer 3 mode.  All 3 VLANs will exist on it.  You will also need to create an IP interface on each VLAN on the SG300, this will act as the default gateway for each VLAN.

Since each of your SG200s will only have one VLAN on them, you can configure the LAGs to each switch as either trunks with the correct VLAN untagged or access ports in the correct VLAN for each switch (both have the same effect).

Since SG-2 will be only production VLAN, you can make all ports access ports in the production VLAN. The same goes for SG-3 and the testing VLAN.

On SG-1 you can set all the DC and appropriate hosts to the production VLAN, and your port 1 to Access in the management VLAN.  

At this point everyone in the production network will get DHCP from DC-1 (and assuming the DHCP scope is set, DNS as well) and everyone in the testing network will get DHCP from DC-2, since these hosts are all in the same subnet/vlan.

If you need to setup some sort of DHCP relay, the only networks without DHCP at this point are the management and the DMZ.  You can either setup DHCP relay to one of your DCs or setup DHCP on the SG300 itself.  Let me know if you need any help there.

The three VLANs will be isolated into separate broadcast domains, however if you wanted to completely block communication between VLANs, setup an ACL on the SG300 or ASA (whichever one is doing the inter-VLAN routing) to block those two network from communicating.  However if you want all three VLANs to use DC-1 as a DNS server you will need to allow that traffic through.

Let me know if that helps any, or if I missed anything,

Christopher Ebert - Network Support Engineer 

Cisco Small Business Support Center


CreatePlease to create content