BestHub
Sign in
Operations 8 min read

Step-by-Step Switch and Firewall Configuration Guide (VLAN, DHCP, NAT, and Routing)

This guide provides detailed commands to configure a switch for user access VLANs, set up a firewall as both a layer‑3 and layer‑2 device with VLAN interfaces, DHCP/DNS, security zones, static routing, and NAT to enable internal users to reach external networks.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Step-by-Step Switch and Firewall Configuration Guide (VLAN, DHCP, NAT, and Routing)

Switch configuration (2 steps): vlan batch 2 3 interface gigabitethernet0/0/2 port link-type access port default vlan 2 quit interface gigabitethernet0/0/3 port link-type access port default vlan 3 quit

Uplink to firewall (step 2): interface gigabitethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 3 quit

Firewall as a layer‑3 device (5 steps): Step 1 – Create sub‑interfaces: vlan batch 2 3 interface gigabitethernet0/0/1.1 vlan-type dot1q 2 ip address 192.168.1.1 24 quit interface gigabitethernet0/0/1.2 vlan-type dot1q 3 ip address 192.168.2.1 24 quit

Step 2 – Enable DHCP and DNS: dhcp enable interface gigabitethernet0/0/1.1 dhcp select interface dhcp server dns-list 114.114.114.114 223.5.5.5 quit interface gigabitethernet0/0/1.2 dhcp select interface dhcp server dns-list 114.114.114.114 223.5.5.5 quit

Step 3 – Configure security zones and default policy: firewall zone trust add interface gigabitethernet0/0/1 add interface gigabitethernet0/0/1.1 add interface gigabitethernet0/0/1.2 quit firewall zone untrust add interface gigabitethernet0/0/2 quit firewall packet-filter default permit all

Step 4 – Configure public interface IP and static route: interface gigabitethernet0/0/2 ip address 200.0.0.2 255.255.255.0 quit ip route-static 0.0.0.0 0.0.0.0 200.0.0.1

Step 5 – Enable NAT for outbound traffic: nat address-group 1 200.0.0.2 200.0.0.2 nat-policy interzone trust untrust outbound policy 1 policy source 192.168.0.0 0.0.255.255 action source-nat address-group 1 quit

Firewall as a layer‑2 device using VLANIF (5 steps): Step 1 – Create VLANIF interfaces: vlan batch 2 3 interface gigabitethernet0/0/1 portswitch port link-type trunk port trunk permit vlan 2 3 quit interface vlanif 2 ip address 192.168.1.1 24 quit interface vlanif 3 ip address 192.168.2.1 24 quit

Step 2 – Enable DHCP and DNS on VLANIFs (same commands as above, applied to vlanif 2 and 3).

Step 3 – Configure zones and default policy (same as layer‑3 steps, using vlanif interfaces).

Step 4 – Configure public interface IP and static route (same as layer‑3 step 4).

Step 5 – Configure NAT for outbound traffic (same as layer‑3 step 5).

NetworkFirewallRoutingNATswitchDHCPVLAN
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment