BestHub
Sign in
Operations 8 min read

Step-by-Step Switch and Firewall Configuration Guide (VLAN, DHCP, NAT, and Routing)

This guide provides detailed commands to configure a switch for user access VLANs, set up a firewall as both a layer‑3 and layer‑2 device with VLAN interfaces, DHCP/DNS, security zones, static routing, and NAT to enable internal users to reach external networks.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Step-by-Step Switch and Firewall Configuration Guide (VLAN, DHCP, NAT, and Routing)

Switch configuration (2 steps):

vlan batch 2 3
interface gigabitethernet0/0/2
port link-type access
port default vlan 2
quit
interface gigabitethernet0/0/3
port link-type access
port default vlan 3
quit

Uplink to firewall (step 2):

interface gigabitethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 3
quit

Firewall as a layer‑3 device (5 steps): Step 1 – Create sub‑interfaces:

vlan batch 2 3
interface gigabitethernet0/0/1.1
vlan-type dot1q 2
ip address 192.168.1.1 24
quit
interface gigabitethernet0/0/1.2
vlan-type dot1q 3
ip address 192.168.2.1 24
quit

Step 2 – Enable DHCP and DNS:

dhcp enable
interface gigabitethernet0/0/1.1
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
quit
interface gigabitethernet0/0/1.2
dhcp select interface
dhcp server dns-list 114.114.114.114 223.5.5.5
quit

Step 3 – Configure security zones and default policy:

firewall zone trust
add interface gigabitethernet0/0/1
add interface gigabitethernet0/0/1.1
add interface gigabitethernet0/0/1.2
quit
firewall zone untrust
add interface gigabitethernet0/0/2
quit
firewall packet-filter default permit all

Step 4 – Configure public interface IP and static route:

interface gigabitethernet0/0/2
ip address 200.0.0.2 255.255.255.0
quit
ip route-static 0.0.0.0 0.0.0.0 200.0.0.1

Step 5 – Enable NAT for outbound traffic:

nat address-group 1 200.0.0.2 200.0.0.2
nat-policy interzone trust untrust outbound
policy 1
policy source 192.168.0.0 0.0.255.255
action source-nat
address-group 1
quit

Firewall as a layer‑2 device using VLANIF (5 steps): Step 1 – Create VLANIF interfaces:

vlan batch 2 3
interface gigabitethernet0/0/1
portswitch
port link-type trunk
port trunk permit vlan 2 3
quit
interface vlanif 2
ip address 192.168.1.1 24
quit
interface vlanif 3
ip address 192.168.2.1 24
quit

Step 2 – Enable DHCP and DNS on VLANIFs (same commands as above, applied to vlanif 2 and 3).

Step 3 – Configure zones and default policy (same as layer‑3 steps, using vlanif interfaces).

Step 4 – Configure public interface IP and static route (same as layer‑3 step 4).

Step 5 – Configure NAT for outbound traffic (same as layer‑3 step 5).

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

networkfirewallroutingNATswitchDHCPVLAN
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment