Cisco vlan setup w a windows 2003 dhcp server help

Answered Question
May 13th, 2007
User Badges:

Can anyone give me some tips or point me to some documentation on setting up a catalyst 4500 series w vlans and a windows 2003 server w associated dhcp scopes? Just for curiosity, what is a good vlan design for a college. I was thinking a student, a staff, a faculty, and a guest and or mgmt vlan. Also, on the guest vlan how would I setup an outbound acl to only allow port 80 traffic? Thanks in advance.

Correct Answer by Jon Marshall about 9 years 11 months ago

Hi


Yes you will need an ip helper-address on each client vlan pointing to the DHCP server.


The router knows the interface the DHCP request came in on so when it turns the broadcast from the client into a unicast to the DHCP server it uses the IP address of the vlan interface it came in on.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 05/13/2007 - 23:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Try to limit the number of users per vlan to no more than a class C subnet if you can. We use half a class C /25 network in our offices.


If you can break up the vlans to match the different type of users then that would be a good start. It means you can further down the line apply different security policies to the different vlans which in your situation you may well want to do. Don't worry if for example you need to use 2 or 3 vlans for students it's not a problem.


Attached is a link for 4500 configuration. You need to look at the following chapters primarily


1) Configuring VLAN's VTP & VMPS.

2) Configuring Layer 3 interfaces. Look at the section on logical layer 3 SVI's.


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/conf.html



On the guest vlan you would need something like (assuming guest vlan subnet range is 192.168.1.0/24


access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list 120 deny ip 192.168.1.0 255.255.255.0 any


and apply it on the inbound vlan interface. ie. if your vlan for guest users is vlan 20


switch(config)# vlan 20

switch(config-if)# ip access-group 120 in


As for the W2003 server, not done much with windows. You will need DHCP manager which should be under admin tools. Make sure you exclude the addresses for each subnet that you allocate to the 4500 layer 3 interfaces ie


switch(config)# vlan 20

switch(config-t)# ip address 192.168.1.1 255.255.255.0


In your DHCP scope 192.168.1.1 will be the default gateway for your clients and you should exclude this from the scope.


Hope this is enough to get you started


Jon


rhopkins_nci Mon, 05/14/2007 - 06:23
User Badges:

Hey Jon, thanks for all the info. Do I need an ip helper address for the various vlans to find the vlan that the dhcp server is on and the internet interface/vlan? How does the dhcp server know what ip subnet to give the nodes on the different vlans? Thanks again.

Correct Answer
Jon Marshall Mon, 05/14/2007 - 06:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you will need an ip helper-address on each client vlan pointing to the DHCP server.


The router knows the interface the DHCP request came in on so when it turns the broadcast from the client into a unicast to the DHCP server it uses the IP address of the vlan interface it came in on.


HTH


Jon

Actions

This Discussion