Complete Enterprise Network Implementation
You will implement a full enterprise network: VLAN segmentation, inter-VLAN routing, DHCP and DNS services, and ACL-based access control. By the end every segment has the connectivity it needs and nothing more.
Learning Objectives
- Design and configure VLANs with inter-VLAN routing.
- Provide DHCP and DNS to each segment.
- Enforce least-privilege flows with ACLs.
- Time: ~18 hours · Difficulty: Advanced · Prereqs: the VLAN, routing, DHCP, DNS, and ACL labs.
Architecture Overview
graph TD
Core[L3 Switch / Router] --> V10[VLAN 10 Users]
Core --> V20[VLAN 20 Servers]
Core --> V30[VLAN 30 Guest]
V20 --> Svc[DHCP + DNS]
Core --> ACL[ACLs between VLANs]
Environment Setup
- A managed switch/router (or emulator) and Linux service VMs.
- An addressing plan with non-overlapping subnets per VLAN.
- A defined inter-VLAN access policy.
Step-by-Step Execution
01
Create VLANs and SVIs
vlan 10,20,30 ; interface vlan 20 ; ip address 10.0.20.1 255.255.255.002
Provide DHCP and DNS
systemctl enable --now isc-dhcp-server named03
Apply inter-VLAN ACLs
# show access-lists GUEST-DENY
10 deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255 (44 matches)
20 permit ip any any
Progress So Far
graph LR
A[01 VLANs + routing] -->|done| B[02 DHCP/DNS]
B -->|done| C[03 ACLs]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
ping -c2 10.0.20.10 && dig @10.0.20.2 srv.lab +shortUsers should reach servers and resolve names, while guests are denied access to the server VLAN. That confirms connectivity plus segmentation.
Troubleshooting
- No inter-VLAN traffic: enable IP routing and verify SVIs are up.
- DHCP not reaching a VLAN: add an ip-helper/relay on the gateway.
- ACL blocks everything: remember the implicit deny; add the needed permit.
Extension Ideas
- Add SDN control as in SDN Implementation.
- Automate device config with Network Services Automation.
- Add monitoring and NetFlow for visibility.
Key Results
- Segmented the network into 3 VLANs with routing.
- Delivered DHCP and DNS to every segment.
- Enforced least-privilege flows with audited ACLs.
- Validated connectivity and isolation per policy.