Ok had a few days spare so got to tackling this! Sure is fighting me...
So, to recap (mostly for my benefit here) we had a VLAN (35) which I want to make into a closed/switch-to-switch VLAN with its own dedicated interface on our firewall here. Firewall is to act as DHCP server for this VLAN only and allow the traffic direct out to the world whilst stopping it getting back onto our LAN or pinging it to keep it isolated as it's for guest wifi. As it was until this morning our LAN DHCP server did DHCP duty for it.
Went into the core then and put a single access interface on VLAN 35, plugged the cable in to the firewall.
On the Cisco core, in IP configuration > IPv4 Mgmt and Interface > IPv4 interface and deleted the SVI/interface listing for VLAN 35. I shouldn't imagine it'd need this for the VLAN to operate in the way I'm thinking, so this went.
Next, disabled the scope on the DHCP server.
Next, back on the core, went to IP configuration > IPv4 Mgmt and Interface > DHCP Snooping/Relay > Interface settings and deleted the entry for VLAN 35, my thinking being I don't want it sending DHCP requests to any of the listed DHCP servers.
The goal I had in mind was for it to operate like an old school network did, pre-VLANs. As in clients join the wifi at the WAPs with password, send a DHCP discover, firewall answers and gives an IP and then all works and the switching is effectively "dumb" to the lot!
I cannot get this working though, and cryptically clients joining this way are getting IPs in a totally different subnet on the DHCP server (!!!)
I have no idea what's doing this at this point lol! So thought I'd appeal to anyone passing for any ideas or thoughts. Or comforting words would do too!
Happy new year to anybody reading there and very grateful for any thinking on it.
