CISCO 3750G VLAN配置实例

网络环境：防火墙->3750G->VLAN->PC

目的：3750G上按端口划分VLAN，各VLAN间可互访、可上外网，各VLAN的PC由Windows 2003 Server的DHCP分配。为测试只设了三个VLAN，多个VLAN也同样划分即可。

参数：3750G上，VLAN1 IP：123.123.0.11, VLAN2 IP：192.168.0.254, VLAN3 IP：192.168.2.254

2003 Server 位于VLAN1  IP：123.123.0.4、网关：123.123.0.11

防火墙内网卡IP：123.123.0.254

3750G中端口VLAN划分、IP地址指定、VLAN路由、默认网关、静态路由等大多数参数都可以用CISCO Network Assistant管理工具来设置，但启用DHCP功能，DHCP中继、指定DHCP服务器地址、VLAN的ip helper-address地址(红色部分)需进入终端管理中设置。 DHCP服务器中，在DHCP中增加123.123.0.0、192.168.0.0、192.168.2.0三个作用域，并分别设置好分配给PC的路由为各VLAN IP，DNS为外网的DNS。 注意：DHCP的网关必须是所在VLAN的IP地址；防火墙中增加123.123.0.0  0.0.0.0、192.168.0.0  0.0.0.0的回指路由，增加123.123.0.0、192.168.0.0的上网NAT设置等让该网段可上网，

具体配置如下:

show run

Building configuration...

 

Current configuration : 3334 bytes

!

version 12.2

service config

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch3750G

!

enable secret 5 $1$Imhn$8cgG7/eYcVQhnSzDFt1x10

!

no aaa new-model

switch 1 provision ws-c3750g-24ts-1u

system mtu routing 1500

ip subnet-zero

ip routing                                                         ；启用IP路由功能，使VLAN间能互访

ip dhcp relay information trust-all     ；启用DHCP转发功能，配置时需在终端中执行Service DHCP打开DHCP功能

!

ip dhcp-server 123.123.0.4                        ；指定外部DHCP服务器地址

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

GigabitEthernet1/0/1

 switchport access vlan 2

 switchport mode access

 switchport port-security

 switchport port-security aging time 2

 switchport port-security violation restrict

 switchport port-security aging type inactivity

 macro description cisco-desktop

 spanning-tree portfast

 spanning-tree bpduguard enable

!

interface GigabitEthernet1/0/2

 switchport mode access

 spanning-tree portfast

!

switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/4

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/5

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/6

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/7

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/8

 switchport mode access

 spanning-tree portfast

interface GigabitEthernet1/0/9

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/10

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/11

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/12

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/13

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/14

 switchport mode access

!

interface GigabitEthernet1/0/15

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/16

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/17

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/18

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/19

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/20

spanning-tree portfast

!

interface GigabitEthernet1/0/21

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/22

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/23

 switchport access vlan 3

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/24

 switchport mode access

 spanning-tree portfast

!

interface GigabitEthernet1/0/25

!

interface GigabitEthernet1/0/26

interface GigabitEthernet1/0/27

!

interface GigabitEthernet1/0/28

!

interface Vlan1                                     ；VLAN1定义

 ip address 123.123.0.11 255.255.255.0

!

interface Vlan2                                     ；VLAN1定义

 ip address 192.168.0.254 255.255.255.0

 ip helper-address 123.123.0.4

!

interface Vlan3                                     ；VLAN1定义

 ip address 192.168.2.254 255.255.255.0

 ip helper-address 123.123.0.4

!

router rip

!

ip default-gateway 123.123.0.254           ；网络网关地址，外网路由器的内网卡地址

ip classless

ip route 0.0.0.0 0.0.0.0 123.123.0.254   ；上外网的静态路由

ip http server

!

!

!

!

line con 0

line vty 0 4

 password 

login

 length 0

line vty 5 15

 password

 login

 length 0

!

end

 

Switch3750G#

CCIE Security 2009 IOS防火墙合集