Thursday, August 2, 2018

When connected to any switch port, DHCP can get addresses from two different VLANs

I've been managing a small network and the main devices include a Meraki MX84 as our router/firewall and two Cisco SG500 switches in stacked mode.

The MX84 is our DHCP server for all VLANs on the network. The network only uses one VLAN for all devices, but I'm attempting to add a new VLAN that is entirely segmented from the other VLAN for lab and testing purposes. Let's say my main VLAN is VLAN 1 and the one I just made is VLAN 2. The MX84 runs a DHCP server for both. I have two ports on the MX84 that connect to each SG500 and only allow VLAN 1. I have another port on the MX84 that connects to a switch and only allows VLAN 2. Subsequently, I have 7 ports on a SG500 where the default VLAN is 2. All other ports are VLAN 1.

The problem I'm having is that if I connect to the switch, it can grab a DHCP address from either the VLAN 1 subnet or VLAN 2 subnet, no matter what port I plug it into. This is a major issue because in my MX84, I have blocked traffic between VLAN 1 and VLAN 2.

For the record, all ports on the both switches are configured as trunk ports. Is this the issue? Minus the ports that connect to the MX84, do the ports need to be access ports? We have another corporate network I've worked on that is configured a similar way with no issues (unless I got lucky).



No comments:

Post a Comment