cargex
asked on
Cisco 3750 Stack. DHCP Service for private VLAN.
Hi Guys,
I need Cisco iOS commands for the following setup. (I have a Cisco 3750 Stack).
Configure one port to access two vlans. (VLAN 1 and VLAN 60).
Create DHCP pool to give IP addresses to ONLY one of these vlans (lets use VLAN 60)
Give access to the traffic of the VLAN 60 only to one other port where the firewall is connected.
Currently all my VLANs have routing capabilities to exchange traffic among them but I would like this VLAN 60 to be able to find the firewall only.
Thanking you in advance.
I need Cisco iOS commands for the following setup. (I have a Cisco 3750 Stack).
Configure one port to access two vlans. (VLAN 1 and VLAN 60).
Create DHCP pool to give IP addresses to ONLY one of these vlans (lets use VLAN 60)
Give access to the traffic of the VLAN 60 only to one other port where the firewall is connected.
Currently all my VLANs have routing capabilities to exchange traffic among them but I would like this VLAN 60 to be able to find the firewall only.
Thanking you in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry, but this just makes for more questions.
Is there only one port (and device) in VLAN 1? If so, a simple ACL will accomplish this. But if there are other ports in VLAN 1, then the question is: how many devices are in VLAN 1 that you trying to block access to? How are allowed to have access?
Can you post a topology diagram?
Is there only one port (and device) in VLAN 1? If so, a simple ACL will accomplish this. But if there are other ports in VLAN 1, then the question is: how many devices are in VLAN 1 that you trying to block access to? How are allowed to have access?
Can you post a topology diagram?
ASKER
Hi Don,
Sorry for the delay.
Basically all the ports are part of VLAN1.
The reason why I need to configure a port to access two vlans (VLAN1 and VLAN60) is because this device will be generating traffic for both, and I can configure that device to do so, but all needs to happen through one single port in the Cisco Stack.
Sorry for the delay.
Basically all the ports are part of VLAN1.
The reason why I need to configure a port to access two vlans (VLAN1 and VLAN60) is because this device will be generating traffic for both, and I can configure that device to do so, but all needs to happen through one single port in the Cisco Stack.
The only way for a Cisco switch port to handle traffic from more than one VLAN is with a trunk. Can the other device be configured as a trunk (AKA "tagged")?
ASKER
Yes I can tag the traffic with the VLAN number in the device.
So basically going back to the code you gave me earlier we have the following configuration:
interface Gi1/0/34
interface mode trunk
interface trunk allowed vlan 1,60
And that would allow only traffic from those two vlans.
Is this code correct?
Note: I was confused because I thought that trunk was to allowed traffic from all vlans.
So basically going back to the code you gave me earlier we have the following configuration:
interface Gi1/0/34
interface mode trunk
interface trunk allowed vlan 1,60
And that would allow only traffic from those two vlans.
Is this code correct?
Note: I was confused because I thought that trunk was to allowed traffic from all vlans.
And that would allow only traffic from those two vlans.Not exactly. It's "switchport mode trunk" and "switchport trunk allowed vlan 1,60"
Is this code correct?
Note: I was confused because I thought that trunk was to allowed traffic from all vlans.By default, it does. But the "switchport trunk allowed vlan 1,60" restricts the VLANs allowed on the trunk to just 1 and 60.
ASKER
And the encapsulation for trunk?
ASKER
I'm getting the following error
3750_Stack(config-if)#swit
3750_Stack(config-if)#swit
3750_Stack(config-if)#swit
^
% Invalid input detected at '^' marker.
Basically it doesn't like the switchport trunk vlan 1,60
what is missing?
3750_Stack(config-if)#swit
3750_Stack(config-if)#swit
3750_Stack(config-if)#swit
^
% Invalid input detected at '^' marker.
Basically it doesn't like the switchport trunk vlan 1,60
what is missing?
switchport trunk allowed vlan 1,60
ASKER
Ok, I have finished the port configuration as per your instructions.
!
interface GigabitEthernet3/0/34
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,60
switchport mode trunk
spanning-tree portfast
!
I will test the device connectivity in both vlans tomorrow morning.
!
interface GigabitEthernet3/0/34
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,60
switchport mode trunk
spanning-tree portfast
!
I will test the device connectivity in both vlans tomorrow morning.
ASKER
In regards to the DHCP configuration.
ip dhcp pool WNYW
network 192.168.60.0/24
default-router 192.168.60.1
How do I know that this DHCP pool will give away IP addresses only to the devices connected to VLAN60???
ip dhcp pool WNYW
network 192.168.60.0/24
default-router 192.168.60.1
How do I know that this DHCP pool will give away IP addresses only to the devices connected to VLAN60???
Because the only place that will request addresses in that range are on VLAN 60.
ASKER
Thank you very much Don, your help is greatly appreciated.
Note:
For those of you that find this to answer your questions please read the full exchange of comments.
Note:
For those of you that find this to answer your questions please read the full exchange of comments.
ASKER
The setup is like this.
I have everybody in VLAN1 (including the firewall).
Actually the port is part of VLAN1, so both ports, where the traffic is originating and where the firewall is connected they both have access to VLAN1.
I have some other ports available in the firewall, so you think that the solution would be to connect a second port of the firewall to a port that has access to VLAN60 and use that connection for all the VLAN60 traffic?