cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
46115
Views
6
Helpful
15
Replies

Switch DNS-server

MARVIN SPITERI
Level 1
Level 1

Is there any cisco IOS, perhaps IP services that can be configured as a dns server itself? this would be useful in a lab setup using Wireless LAN controllers so that APs can use DNS for WLC discovery without the need for an actual dns server

1 Accepted Solution

Accepted Solutions

The ip dns server command is introduced in IOS 12.2(4)T, but not in the IOS 12.2SE.

http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_08.html#wp1011412

Regards,

jerry

View solution in original post

15 Replies 15

Reza Sharifi
Hall of Fame
Hall of Fame

Hello MARVIN,

Cisco routers or switches can not be configure as DNS servers.

HTH

Reza

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi,

Cisco router can be configured to act as Authoritive DNS Server check out the below some configuration commands to configure cisco router to act as DNS, Hope this helps for your query !!

Enable DNS Server

From the Global configuration mode, enable the DNS server on your Cisco Router

    ciscorouter# conf term

    ciscorouter(config)# ip dns server

Configure as Primary DNS Server

Configures the router as the primary DNS name server for a domain (zone) and as the start of authority (SOA) record source. Unless Distributed Director is enabled, the TTL on locally defined resource records will always be ten seconds.

    ciscorouter(config)# ip dns primary test.com soa ns.test.com postmaster.test.com

The above command configures the Cisco Router as a Authoritative Primary DNS server for the domain "test.com" where ns.test.com is the Primary DNS Server and

postmaster.test.com is the email account for the postmaster (read as postmaster@test.com)

Create NS Records

Create NS resource record to be returned when the DNS server is queried for the associated domain. This configuration is needed only if the zone for which the system is authoritative will also be served by other name servers

    ciscorouter(config)# ip host test.com ns ns.test.com

Regards

Ganesh.H

hi thanks for your replies - I am trying to configure a 3750 switch with IP services IOS but now I notice it is ver 12.2(35)SE5 and the guide you sent lin of is of IOS ver 12.4. my switch does not recognise the command IP DNS .. could it be because of older IOS?

It can be i am not sure but the above commands is for making routers to act as DNS.

Hope this helps

Regards

Ganesh.H

The ip dns server command is introduced in IOS 12.2(4)T, but not in the IOS 12.2SE.

http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_08.html#wp1011412

Regards,

jerry

Jerry,

Thanks for clarify that.  No wonder I could not find it in the 12.2SX version either.

Reza

RT01 van Hoofdkantoor

Version:1.0 StartHTML:0000000107 EndHTML:0000024190 StartFragment:0000000538 EndFragment:0000024154

hostname Router

!

!

!

!

ip dhcp excluded-address 192.168.105.2

ip dhcp excluded-address 192.168.105.26

ip dhcp excluded-address 192.168.105.34

ip dhcp excluded-address 192.168.105.18

ip dhcp excluded-address 192.168.105.33

ip dhcp excluded-address 192.168.105.17

ip dhcp excluded-address 192.168.105.25

ip dhcp excluded-address 192.168.105.1

ip dhcp excluded-address 192.168.105.41

!

ip dhcp pool Sales

network 192.168.105.0 255.255.255.240

default-router 192.168.105.1

ip dhcp pool Finance

network 192.168.105.24 255.255.255.248

default-router 192.168.105.25

ip dhcp pool Marketing

network 192.168.105.16 255.255.255.248

default-router 192.168.105.17

ip dhcp pool Logistiek

network 192.168.105.32 255.255.255.248

default-router 192.168.105.33

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp key cisco123 address 200.10.10.17

!

!

!

crypto ipsec transform-set my-trans-set esp-3des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 200.10.10.17

set transform-set my-trans-set

match address 101

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.105.1 255.255.255.240

ip access-group Sales out

!

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 192.168.105.17 255.255.255.248

ip access-group Marketing out

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.105.25 255.255.255.248

ip access-group Finance out

!

interface FastEthernet0/0.40

encapsulation dot1Q 40

ip address 192.168.105.33 255.255.255.248

ip access-group Logistiek out

!

interface FastEthernet0/0.99

encapsulation dot1Q 99

ip address 192.168.105.41 255.255.255.248

!

interface FastEthernet0/1

ip address 200.10.10.18 255.255.255.248

duplex auto

speed auto

crypto map mymap

!

interface Vlan1

no ip address

shutdown

!

router rip

!

ip classless

ip route 2.2.2.0 255.255.255.0 200.10.10.17

ip route 10.10.10.0 255.255.255.0 200.10.10.17

!

ip flow-export version 9

!

!

ip access-list extended Sales

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.16 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.24 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.32 0.0.0.7 192.168.105.0 0.0.0.15

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

ip access-list extended Marketing

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.16 0.0.0.7

deny ip 192.168.105.0 0.0.0.15 192.168.105.16 0.0.0.7

deny ip 192.168.105.24 0.0.0.7 192.168.105.16 0.0.0.7

deny ip 192.168.105.32 0.0.0.7 192.168.105.16 0.0.0.7

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

ip access-list extended Finance

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.24 0.0.0.7

deny ip 192.168.105.0 0.0.0.15 192.168.105.24 0.0.0.7

deny ip 192.168.105.16 0.0.0.7 192.168.105.24 0.0.0.7

deny ip 192.168.105.32 0.0.0.7 192.168.105.24 0.0.0.7

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

ip access-list extended Logistiek

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.32 0.0.0.7

deny ip 192.168.105.0 0.0.0.15 192.168.105.32 0.0.0.7

deny ip 192.168.105.16 0.0.0.7 192.168.105.32 0.0.0.7

deny ip 192.168.105.24 0.0.0.7 192.168.105.32 0.0.0.7

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

access-list 101 permit ip 192.168.105.0 0.0.0.255 10.10.10.0 0.0.0.255

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end


RouterNET
hostname Router

!

!

!

!

!

!

!

!

no ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp key cisco123 address 200.10.10.18

!

!

!

crypto ipsec transform-set my-trans-set esp-3des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 200.10.10.18

set transform-set my-trans-set

match address 101

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 2.2.2.254 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface Ethernet0/0/0

ip address 200.10.10.17 255.255.255.248

duplex auto

speed auto

crypto map mymap

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.105.0 255.255.255.0 200.10.10.18

!

ip flow-export version 9

!

!

access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.105.0 0.0.0.255

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

Router Hoofdkantoor

hostname Router

!

!

!

!

ip dhcp excluded-address 192.168.105.2

ip dhcp excluded-address 192.168.105.26

ip dhcp excluded-address 192.168.105.34

ip dhcp excluded-address 192.168.105.18

ip dhcp excluded-address 192.168.105.33

ip dhcp excluded-address 192.168.105.17

ip dhcp excluded-address 192.168.105.25

ip dhcp excluded-address 192.168.105.1

ip dhcp excluded-address 192.168.105.41

!

ip dhcp pool Sales

network 192.168.105.0 255.255.255.240

default-router 192.168.105.1

ip dhcp pool Finance

network 192.168.105.24 255.255.255.248

default-router 192.168.105.25

ip dhcp pool Marketing

network 192.168.105.16 255.255.255.248

default-router 192.168.105.17

ip dhcp pool Logistiek

network 192.168.105.32 255.255.255.248

default-router 192.168.105.33

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp key cisco123 address 200.10.10.17

!

!

!

crypto ipsec transform-set my-trans-set esp-3des esp-md5-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 200.10.10.17

set transform-set my-trans-set

match address 101

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.105.1 255.255.255.240

ip access-group Sales out

!

interface FastEthernet0/0.20

encapsulation dot1Q 20

ip address 192.168.105.17 255.255.255.248

ip access-group Marketing out

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.105.25 255.255.255.248

ip access-group Finance out

!

interface FastEthernet0/0.40

encapsulation dot1Q 40

ip address 192.168.105.33 255.255.255.248

ip access-group Logistiek out

!

interface FastEthernet0/0.99

encapsulation dot1Q 99

ip address 192.168.105.41 255.255.255.248

!

interface FastEthernet0/1

ip address 200.10.10.18 255.255.255.248

duplex auto

speed auto

crypto map mymap

!

interface Vlan1

no ip address

shutdown

!

router rip

!

ip classless

ip route 2.2.2.0 255.255.255.0 200.10.10.17

ip route 10.10.10.0 255.255.255.0 200.10.10.17

!

ip flow-export version 9

!

!

ip access-list extended Sales

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.16 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.24 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.32 0.0.0.7 192.168.105.0 0.0.0.15

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

ip access-list extended Marketing

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.16 0.0.0.7

deny ip 192.168.105.0 0.0.0.15 192.168.105.16 0.0.0.7

deny ip 192.168.105.24 0.0.0.7 192.168.105.16 0.0.0.7

deny ip 192.168.105.32 0.0.0.7 192.168.105.16 0.0.0.7

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

ip access-list extended Finance

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.24 0.0.0.7

deny ip 192.168.105.0 0.0.0.15 192.168.105.24 0.0.0.7

deny ip 192.168.105.16 0.0.0.7 192.168.105.24 0.0.0.7

deny ip 192.168.105.32 0.0.0.7 192.168.105.24 0.0.0.7

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

ip access-list extended Logistiek

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.32 0.0.0.7

deny ip 192.168.105.0 0.0.0.15 192.168.105.32 0.0.0.7

deny ip 192.168.105.16 0.0.0.7 192.168.105.32 0.0.0.7

deny ip 192.168.105.24 0.0.0.7 192.168.105.32 0.0.0.7

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

access-list 101 permit ip 192.168.105.0 0.0.0.255 10.10.10.0 0.0.0.255

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

 

VPN TUnnel

 

Phase 1

Crypto isakmp policy 1

Authentication pre-share

Encryption des

 

Group 2
Hash md5

Crypto isakmp key cisco123 address 200.10.10.17

 

Phase 2

Crypto ipsec transform-set my-trans-set esp-3des esp-md5-hmac

 

Acceslist

access-list 101 permit ip 192.168.105.0 0.0.0.255 10.10.10.0 0.0.0.255

 

 

 

Create Crypto map to apply to interface

Crypto map mymap 1 ipsec-isakmp

Set peer 200.10.10.18

Set transform-set my-trans-set

match address 101

 

Interface fa0/1
Crypto map mymap

 

Trouble shooting

Show crypto isakmp sa -> Phase 1 

Show crypto ipsec sa -> Phase 2

 

Verify / lookup configuration

Show crypto isakmp policy

Show crypto ipsec transform-set

Show Crypto map

Classless config

 

ip classless

ip route 192.168.105.0 255.255.255.0 Ethernet0/0/0  Router-BT

 

ip classless

ip route 10.10.10.0 255.255.255.0 FastEthernet0/1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1  Router hoofdkantoor

 

 

NAT instellen

int f0/0.10

ip nat inside

 

int f0/1

ip nat ouside

 

access-list 102 deny ip 192.168.105.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 102 permit ip 192.168.105.0 0.0.0.255 any

 

ip nat pool mypool 200.10.10.19 200.10.10.19 netmask 255.255.255.248

 

ip nat inside source list 102 pool mypool overload

  1. Ip subnetten en configureren.

VLAN 10 -Sales (+16)

IP Adress

Subnet

PRNSales

192.168.5.2

/28

PC Sales 1

192.168.5.3

/28

VLAN Sub int.

192.168.5.1

/28

VLAN 20 -Marketing(+16)

IP Adress

Subnet

PRNMarketing

192.168.5.18

/29

PC Marketing 1

192.168.5.19

/29

VLAN Sub int.

192.168.5.17

/29

 

VLAN 30 - Finance (+8)

Ip adress

Subnet

PRNFinance

192.168.5.26

/29

PC Finance 1

192.168.5.27

/29

VLAN Sub int.

192.168.5.25

/29

 

 

  1. Vlan instellen op de switch en sub interfaces aanmaken op de router met alle vlan afdelingen.


Switch:
Op de switch alle vlans toevoegen in de vlan database, vervolgens deze toekennen aan alle interfaces inculies de trunking poort op de interface naar de router toe. Kan eenvoudig via de config tab van een switch.

Router RT01:
Op de router instellen van subinterfaces voor iedere vlan afdeling.
interface FastEthernet0/0.10

 encapsulation dot1Q 10

 ip address 192.168.105.1 255.255.255.240

 ip access-group Sales out

  1. Acceslists instellen voor de afdelingen. Mogen niet naar elkaar pingen.
    Acceslist toepassen op alle computers van de afdelingen, zodat ze elkaar niet kunnen pingen. Houd hierbij rekening met het /28 en /29 wildcard mask

    ip access-list extended Sales

permit udp any eq bootpc any eq bootps

permit ip 192.168.105.40 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.16 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.24 0.0.0.7 192.168.105.0 0.0.0.15

deny ip 192.168.105.32 0.0.0.7 192.168.105.0 0.0.0.15

deny tcp any any eq www

deny tcp any any eq 443

permit ip any any

  1. Dhcp instellen voor de computers van de afdelingen.


als eerst alles excluden.
Vervolgens

  1. VPN Tunnel instellen tussen het verkeer van de routers.

 

  1. DNS Instellen op de DNS Server