You will implement a full enterprise network: VLAN segmentation, inter-VLAN routing, DHCP and DNS services, and ACL-based access control. By the end every segment has the connectivity it needs and nothing more.

Learning Objectives

  • Design and configure VLANs with inter-VLAN routing.
  • Provide DHCP and DNS to each segment.
  • Enforce least-privilege flows with ACLs.
  • Time: ~18 hours · Difficulty: Advanced · Prereqs: the VLAN, routing, DHCP, DNS, and ACL labs.

Architecture Overview

Environment Setup

  • A managed switch/router (or emulator) and Linux service VMs.
  • An addressing plan with non-overlapping subnets per VLAN.
  • A defined inter-VLAN access policy.

Step-by-Step Execution

01
Create VLANs and SVIs
vlan 10,20,30 ; interface vlan 20 ; ip address 10.0.20.1 255.255.255.0
02
Provide DHCP and DNS
systemctl enable --now isc-dhcp-server named
03
Apply inter-VLAN ACLs
# show access-lists GUEST-DENY
10 deny ip 10.0.30.0 0.0.0.255 10.0.20.0 0.0.0.255 (44 matches) 20 permit ip any any

Progress So Far

Testing & Validation

ping -c2 10.0.20.10 && dig @10.0.20.2 srv.lab +short

Users should reach servers and resolve names, while guests are denied access to the server VLAN. That confirms connectivity plus segmentation.

Troubleshooting
  • No inter-VLAN traffic: enable IP routing and verify SVIs are up.
  • DHCP not reaching a VLAN: add an ip-helper/relay on the gateway.
  • ACL blocks everything: remember the implicit deny; add the needed permit.

Extension Ideas

Key Results

  • Segmented the network into 3 VLANs with routing.
  • Delivered DHCP and DNS to every segment.
  • Enforced least-privilege flows with audited ACLs.
  • Validated connectivity and isolation per policy.