Cisco 3750 VLAN DHCP ACL requirements configuration

Source: Internet
Author: User
Tags reserved domain server firewall

I. Demand
1, divide three VLAN

VLAN2 Server 1-8 Port Network

VLAN3 work01 9-16-Port

Vlan4 work02 17-24-Port

2. Gateway Configuration

192.168.2.1/24

192.168.3.1/24

192.168.4.1/24

3, DHCP and reservation

Each section to open DHCP, each reserved xx.2-xx.10 segment IP for reserved use 192.168.2.10/24 for AD domain server, concurrently as a DNS server, plus two additional alternate DNS 114.114.114.114 8.8.8.8

4, routing

Specifies that the next hop route for all hosts in Intranet is 192.168.1.2, which is Juniper firewall IP.

5. ACL rules

VLAN 3 and VLAN 4 do not allow access to each other, but all have access to the server's VLAN 2, and the default Access control list rule is to deny all packages.

II. Configuration commands and procedures
First step: Create VLAN:

The code is as follows Copy Code
switch>en
Switch#vlan Database
Switch (Vlan) >vlan 2 Name Server
Switch (Vlan) >vlan 3 Name work01
Switch (VLAN) >vlan 4 Name work02

Step two: Set VLAN IP address:

The code is as follows Copy Code
Switch#config T
Switch (Config) >int Vlan 2
Switch (Config-vlan) Ip address 192.168.2.1 255.255.255.0
Switch (Config-vlan) No shut
Switch (Config-vlan) >int VLAN 3
Switch (Config-vlan) Ip address 192.168.3.1 255.255.255.0
Switch (Config-vlan) No shut
Switch (Config-vlan) >int VLAN 4
Switch (Config-vlan) Ip address 192.168.4.1 255.255.255.0
Switch (Config-vlan) No shut
Switch (Config-vlan) Exit

Note: Because the ports are not configured to vlan2,3,4 at this time, each VLAN will be down, and the VLAN will rise after the port is assigned to each VLAN

Step three: Set port global parameters

The code is as follows Copy Code
Switch (Config) interface Range gigabitethernet1/0/1-24
Switch (config-if-range) switchport Mode Access
Switch (config-if-range) Spanning-tree Portfast

Note: The use of Mode access this section can be removed, because access mode is mainly used for PC, server, etc., that is used in the Access Layer mode can refer to the relevant documents on the Baidu library.

Step Fourth: Add ports to the VLAN

The code is as follows Copy Code
/* Add Port 1-8 to the VLAN 2*/
Switch (Config) interface Range gigabitethernet1/0/1-8
Switch (config-if-range) switchport Access Vlan 2
/* Add Port 9-16 to the VLAN 3*/
Switch (Config) interface Range gigabitethernet1/0/9-16
Switch (config-if-range) switchport Access Vlan 3
/* Add Port 17-24 to the VLAN 4*/
Switch (Config) interface Range gigabitethernet1/0/17-24
Switch (config-if-range) switchport Access Vlan 4
Switch (Config-if-range) Exit
* * After this step, the VLAN will rise * * *

Step Fifth: Configure the DHCP server and address pool

  code is as follows copy code
/*vlan 2 available address pool and configuration of corresponding parameters, there are several VLANs to set several address pools */
Switch (Config) Ip Dhcp pool Test01
/* Set the available subnet */
switch (config-pool) Network 192.168.2.0 255.255.255.0
/* Set DNS server */
Switch (config-pool) dns-server 192.168.2.10 114.114.114.1148.8.8.8
/* Set gateway for this subnet */
Switch (config-pool) default-router 192.168.2.1
/* Configure the address pool and corresponding parameters for VLAN 3 */
Switch (Config) Ip Dhcp Pool Test02
Switch (config-pool) network 192.168.3.0 255.255.255.0
Switch ( Config-pool) dns-server 192.168.2.10 114.114.114.1148.8.8.8
Switch (config-pool) default-router 192.168.3.1
/* Configure the address pool used for VLAN 4 and the corresponding parameters */
Switch (Config) Ip Dhcp pool Test03
Switch (config-pool) network 192.168.4.0 255.255.255.0
Switch (config-pool) dns-server 192.168.2.10 114.114.114.1148.8.8.8
Switch (config-pool) default-router 192.168.4.1

Note: The DHCP and VLAN are connected by IP, the VLAN gateway address and the DHCP pool's default network address and the gateway address, you can know the specific plug into a physical port, whether the address can be obtained through DHCP.

Step Sixth: Set DHCP reserved addresses that are not assigned

The code is as follows Copy Code
Switch (Config) Ip Dhcp excluded-address 192.168.2.2 192.168.2.10
Switch (Config) Ip Dhcp excluded-address 192.168.3.2 192.168.3.10
Switch (Config) Ip Dhcp excluded-address 192.168.4.2 192.168.4.10

Seventh step: Routing and Static routing

/

The code is as follows Copy Code
* After this step is configured, each VLAN can exchange visits * *
Switch (config) #ip routing
/* Increase static routing, all the machine's extranet request to the Juniper firewall * *
Switch (config) #ip Route 0.0.0.0 0.0.0.0 192.168.1.2

Step Eighth: Configure the Access control list

The code is as follows Copy Code
Switch (Config) access-list permit IP 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
Switch (Config) access-list permit IP 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Switch (Config) access-list permit UDP Any any of the EQ BOOTPC
Switch (Config) access-list permit udp any or EQ tftp
Switch (Config) access-list permit udp any EQ bootpc any
Switch (Config) access-list permit UDP any EQ
Switch (Config) access-list permit IP 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
Switch (Config) access-list permit IP 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
Switch (Config) access-list permit UDP any EQ
Switch (Config) access-list permit udp any EQ bootpc any
Switch (Config) access-list permit udp any EQ bootpc any
Switch (Config) access-list permit UDP any EQ

Step nineth: Apply access Control Lists

The code is as follows Copy Code
/* Apply access Control list to VLAN 3 and VLAN 4,vlan 2 do not require * *
Switch (Config) int Vlan 3
Switch (Config-vlan) IP access-group
Switch (config-vlan) int VLAN 4
Switch (Config-vlan) IP access-group

Tenth step: Save the configuration and confirm

The code is as follows Copy Code
Switch#write Memory
Switch#show Run-config

/* will output all the configuration information above * *
Third, testing
When you are done with the above configuration, you can exchange visits between different VLANs by connecting the PC to the appropriate port to see if you can get the address, two PCs, respectively.

Original from: 361way.com

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.