---- Edge ---- 1- Create all the 4 vlans: (config)# vlan 100 ip address 172.16.0.2 255.255.0.0 (config)# vlan 200 ip address 192.168.0.2 255.255.255.0 (config)# vlan 300 ip address 10.0.0.2 255.255.254.0 (config)# vlan 400 ip address 172.16.0.2 255.255.255.0 2- Enable Default Gateway, and it should be the Vlan100 IP Address on the Routing Switch (switch1), because this edge switch need an external router to do routing between its vlans: (config)# ip default-gateway 172.16.0.22 3- Untagg all the Ports on this Edge Switch that will connect to workstations, every port with its corresponding vlan, (config)# vlan 200 untag 5 ---- this will untage port 5 to be used for PC in vlan 200. 4- Tag the UPLINK port the connect this switch to the core switch 5308 (switch1) with all vlans other than Vlan100 which should be untagged ,example, if you connect this switch to the core using port 1: (config)# vlan 100 untagged 1 (config)# vlan 200 tag 1 (config)# vlan 300 tag 1 (config)# vlan 400 tag 1 5- Repeat these steps for all edge switches. 6- A PC under Vlan 200 will have IP: 192.168.0.5 255.255.255.0, Gateway is his Vlan 200 IP address on the Routing Switch or the Core (Switch1) gw: 192.168.0.1 And so on .... ---------------------------------------------------------------------------------------------------- ---- Core ---- 1- Create all the 4 vlans: (config)# vlan 100 ip address 172.16.0.2 255.255.0.0 (config)# vlan 200 ip address 192.168.0.1 255.255.255.0 (config)# vlan 300 ip address 10.0.0.1 255.255.254.0 (config)# vlan 400 ip address 172.16.0.1 255.255.255.0 2- Enable IP Routing between all Vlans. (Config)# ip routing 3- Enable Route to Internet: (config)# ip route 0.0.0.0 0.0.0.0 172.16.0.254 4- Tagg the Ports coming from each Edge with all vlans except Vlan100 which should be Untagged, lets say port C1 is connecting to Edge1, then: (config)# vlan 100 unttaggd C5 - on both sides between edge/core, this port is untagged for Vlan100 (config)# vlan 200 tag C5 (config)# vlan 300 tag C5 (config)# vlan 400 tag C5 5- Repeat this untagging/tagging for all uplink ports that connect each edge switche to the core. 6- Untagg Ports going to : Internet Router + All the Servers & Services with Vlan100 (config)# vlan 100 untagged C6 (config)# vlan 100 untagged C7 (config)# vlan 100 untagged C8 7- Now in this Stage, and if you do the Internet Router configuration section (down), then All the Vlans can route between each other, and they can access the internet and the Servers as well. 8- Security Access for Vlans: Create Access Control List to deny access to VLan100,200,300 and 400 from other Vlans except the Accessing to Servers or Internet: ----VLAN100---- (config)# access-list 100 permit ip any host 172.16.0.x --- Permit Server1 (config)# access-list 100 permit ip any host 172.16.0.y --- Permit Server2 (config)# access-list 100 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200 (config)# access-list 100 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300 (config)# access-list 100 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400 (config)# access-list 100 permit ip any any --- permit other traffic (Config)# vlan 100 ip access-group 100 in --- apply ACL 100 to Vlan100 ----VLAN200---- (config)# access-list 200 permit ip host 172.16.0.x any --- Permit Server1 (config)# access-list 200 permit ip host 172.16.0.y any --- Permit Server2 (config)# access-list 200 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100 (config)# access-list 200 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300 (config)# access-list 200 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400 (config)# access-list 200 permit ip any any --- permit other traffic (Config)# vlan 200 ip access-group 200 in --- apply ACL 200 to Vlan200 ----VLAN300---- (config)# access-list 300 permit ip host 172.16.0.x any --- Permit Server1 (config)# access-list 300 permit ip host 172.16.0.y any --- Permit Server2 (config)# access-list 300 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100 (config)# access-list 300 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200 (config)# access-list 300 deny ip 172.16.0.1 0.0.0.255 any --- deny Vlan400 (config)# access-list 300 permit ip any any --- permit other traffic (Config)# vlan 300 ip access-group 300 in --- apply ACL 300 to Vlan300 ----VLAN400---- (config)# access-list 400 permit ip host 172.16.0.x any --- Permit Server1 (config)# access-list 400 permit ip host 172.16.0.y any --- Permit Server2 (config)# access-list 400 deny ip 172.16.0.21 0.0.255.255 any --- deny Vlan100 (config)# access-list 400 deny ip 192.168.0.1 0.0.0.255 any --- deny Vlan200 (config)# access-list 400 deny ip 10.0.0.1 0.0.1.255 any --- deny Vlan300 (config)# access-list 400 permit ip any --- permit other traffic (Config)# vlan 400 ip access-group 400 in --- apply ACL 400 to Vlan400 9- Now the Core Switch is ready and will deny any Vlans to access to each other except the Internet Router and Servers. ---------------------------------------------------------------------------------------------------- --------------- Internet Router --------------- You have to give every Vlan its way back to the Core from this router, so you have to add 4 static routes for each vlan on this router, the command is : ip route network mask gateway, now the gateway for all vlans is the Default_Vlan (vlan1) ip address: (Config)#ip route 192.168.10.0 255.255.255.0 172.16.0.2 - Route to Default_Vlan1 (Config)#ip route 192.168.0.0 255.255.255.0 172.16.0.2 - Route to Vlan200 (Config)#ip route 10.0.0.0 255.255.254.0 172.16.0.2 - Route to Vlan300 (Config)#ip route 172.16.0.0 255.255.255.0 172.16.0.2 - Route to Vlan400 ----------------------------------------------------------------------------------------------------