05-13-2007 02:02 PM - edited 03-05-2019 04:02 PM
Can anyone give me some tips or point me to some documentation on setting up a catalyst 4500 series w vlans and a windows 2003 server w associated dhcp scopes? Just for curiosity, what is a good vlan design for a college. I was thinking a student, a staff, a faculty, and a guest and or mgmt vlan. Also, on the guest vlan how would I setup an outbound acl to only allow port 80 traffic? Thanks in advance.
Solved! Go to Solution.
05-14-2007 06:29 AM
Hi
Yes you will need an ip helper-address on each client vlan pointing to the DHCP server.
The router knows the interface the DHCP request came in on so when it turns the broadcast from the client into a unicast to the DHCP server it uses the IP address of the vlan interface it came in on.
HTH
Jon
05-13-2007 11:02 PM
Hi
Try to limit the number of users per vlan to no more than a class C subnet if you can. We use half a class C /25 network in our offices.
If you can break up the vlans to match the different type of users then that would be a good start. It means you can further down the line apply different security policies to the different vlans which in your situation you may well want to do. Don't worry if for example you need to use 2 or 3 vlans for students it's not a problem.
Attached is a link for 4500 configuration. You need to look at the following chapters primarily
1) Configuring VLAN's VTP & VMPS.
2) Configuring Layer 3 interfaces. Look at the section on logical layer 3 SVI's.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/conf.html
On the guest vlan you would need something like (assuming guest vlan subnet range is 192.168.1.0/24
access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list 120 deny ip 192.168.1.0 255.255.255.0 any
and apply it on the inbound vlan interface. ie. if your vlan for guest users is vlan 20
switch(config)# vlan 20
switch(config-if)# ip access-group 120 in
As for the W2003 server, not done much with windows. You will need DHCP manager which should be under admin tools. Make sure you exclude the addresses for each subnet that you allocate to the 4500 layer 3 interfaces ie
switch(config)# vlan 20
switch(config-t)# ip address 192.168.1.1 255.255.255.0
In your DHCP scope 192.168.1.1 will be the default gateway for your clients and you should exclude this from the scope.
Hope this is enough to get you started
Jon
05-14-2007 06:23 AM
Hey Jon, thanks for all the info. Do I need an ip helper address for the various vlans to find the vlan that the dhcp server is on and the internet interface/vlan? How does the dhcp server know what ip subnet to give the nodes on the different vlans? Thanks again.
05-14-2007 06:29 AM
Hi
Yes you will need an ip helper-address on each client vlan pointing to the DHCP server.
The router knows the interface the DHCP request came in on so when it turns the broadcast from the client into a unicast to the DHCP server it uses the IP address of the vlan interface it came in on.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: