Cisco vlan setup w a windows 2003 dhcp server help

Answered Question
May 13th, 2007

Can anyone give me some tips or point me to some documentation on setting up a catalyst 4500 series w vlans and a windows 2003 server w associated dhcp scopes? Just for curiosity, what is a good vlan design for a college. I was thinking a student, a staff, a faculty, and a guest and or mgmt vlan. Also, on the guest vlan how would I setup an outbound acl to only allow port 80 traffic? Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 6 months ago

Hi

Yes you will need an ip helper-address on each client vlan pointing to the DHCP server.

The router knows the interface the DHCP request came in on so when it turns the broadcast from the client into a unicast to the DHCP server it uses the IP address of the vlan interface it came in on.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Sun, 05/13/2007 - 23:02

Hi

Try to limit the number of users per vlan to no more than a class C subnet if you can. We use half a class C /25 network in our offices.

If you can break up the vlans to match the different type of users then that would be a good start. It means you can further down the line apply different security policies to the different vlans which in your situation you may well want to do. Don't worry if for example you need to use 2 or 3 vlans for students it's not a problem.

Attached is a link for 4500 configuration. You need to look at the following chapters primarily

1) Configuring VLAN's VTP & VMPS.

2) Configuring Layer 3 interfaces. Look at the section on logical layer 3 SVI's.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/conf.html

On the guest vlan you would need something like (assuming guest vlan subnet range is 192.168.1.0/24

access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq www

access-list 120 deny ip 192.168.1.0 255.255.255.0 any

and apply it on the inbound vlan interface. ie. if your vlan for guest users is vlan 20

switch(config)# vlan 20

switch(config-if)# ip access-group 120 in

As for the W2003 server, not done much with windows. You will need DHCP manager which should be under admin tools. Make sure you exclude the addresses for each subnet that you allocate to the 4500 layer 3 interfaces ie

switch(config)# vlan 20

switch(config-t)# ip address 192.168.1.1 255.255.255.0

In your DHCP scope 192.168.1.1 will be the default gateway for your clients and you should exclude this from the scope.

Hope this is enough to get you started

Jon

rhopkins_nci Mon, 05/14/2007 - 06:23

Hey Jon, thanks for all the info. Do I need an ip helper address for the various vlans to find the vlan that the dhcp server is on and the internet interface/vlan? How does the dhcp server know what ip subnet to give the nodes on the different vlans? Thanks again.

Correct Answer
Jon Marshall Mon, 05/14/2007 - 06:29

Hi

Yes you will need an ip helper-address on each client vlan pointing to the DHCP server.

The router knows the interface the DHCP request came in on so when it turns the broadcast from the client into a unicast to the DHCP server it uses the IP address of the vlan interface it came in on.

HTH

Jon

Actions

This Discussion