Solved

Remote Site VLAN for internet ONLY

Posted on 2009-07-07
7
1,037 Views
Last Modified: 2012-06-27
Hello EE,

We are looking for a way to better manage our bank of public access computer at our city library.  Currently, we have 15-20 PC that are completely segregate and use an entirely separate internet connection.  Our current internal infrastructure between the City Library (Site B) and City Hall (Site A) consists of a Cisco 2821 ISR, Time Warner Managed Metro Ethernet, and a Cisco Catalyst 3560 Switch.  We are looking to create a VLAN that will carry all traffic from the public network, across the Metro Ethernet and through our existing ASA for internet access only.  This network should be completely segregated from our city network with limited administrative access (i.e. wsus, web filtering, remote access).  Any thoughts, ideas, config examples, etc are greatly appreciated.  Please see the diagram below for clarification

Public-VLAN-070709.png
0
Comment
Question by:CityofKerrville
  • 4
  • 2
7 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 400 total points
ID: 24797905
It is done 100% by ACLs on the 2821 Router.
The ASA is really irrelevant,...it will allow or disallow them from using the Internet but it has no "authority" or any "means" to be involved in the interaction between the Public Network and the rest of your other networks,
The help with the "perspective",..the Red/Blue Line should stop at the 2821.  It does not continue on to the ASA or the Internet.  The Red/Blue Line between the 3560 and the 2821 is really a Trunk Line carrying two VLANs (networks) over the same physical wire.  So if you collapse the VLAN and Metro Ethernet from the illustration it would be the same thing as this:
 

MultiSubnetSimpleLAN.jpg
0
 
LVL 2

Assisted Solution

by:Ar3s
Ar3s earned 100 total points
ID: 24797994
The simplest way I can think of would be to segregate the Public Network into a separate VLAN on the Cisco 3560 then place an ACL on the Cisco 2821 to only allow port 80 requests inbound from the Metro Ethernet (10.10.x.x).

However, if you currently only have 1 VLAN (or basically no VLAN) on the 3560 switch, then you will either have to do 1 of two things in order for it to properly route through the 2821 router. You will either have to create a trunk between the two or have two connections to the router. I highly suggest the first option because the router may only have one interface available to you. But when you create the trunk, you will also have to configure the router for 802.1q Encapsulation in order to route traffic through 1 interface (the trunk to the switch).

Here is some information on 802.1q:

http://www.cisco.com/en/US/docs/routers/access/1700/1701/software/configuration/guide/vlans.html

and here is some information on trunk ports:

http://www.techsneeze.com/create-vlan-trunk-between-cisco-ios-and-foundry-bigiron

You should be able to accomplish what you want with this information, but I would also do some research on Captive Portals since you mentioned that this is for a library. Basically what captive portal is, is a system that requires users to get authorization in order to use the internet. If you have ever been to a hotel and tried to used their internet, the web page will redirect you to their homepage where you either have to enter in a code, ask for a certificate, or pay with a credit card in order to use their service. In any case, it is an interesting subject to look into.

Hope this helped.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 24798289
It would have to already be VLANed at the 3560 currently for this LAN to be operating properly, so that is probably already done.
After that all it takes is an ACL on the 2821,..all done,..that's it.
Even if it wasn't  a separate segment the ACLs can be applied to an arbitrary range of IP#s or a list of non-sequential IP#s.  Although the non-sequential IP#s would be messy,...a separate ACL for each I believe.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:CityofKerrville
ID: 24798422
Here is the existing config for the 3560
LIBRARY#sh conf
Using 4074 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LIBRARY
!
enable secret 5 
enable password 
!
no aaa new-model
system mtu routing 1500
vtp domain LIBRARY
vtp mode transparent
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 60
!
interface FastEthernet0/1
 switchport access vlan 60
 switchport mode access
 spanning-tree portfast
!
~~~~~~~~~~~~~~interfaces truncated
!
interface FastEthernet0/23
 switchport access vlan 60
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 description METRO ETHERNET PORT
 no switchport
 ip address 10.10.10.8 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan60
 description LIBRARY
 ip address 192.168.106.1 255.255.255.0
 ip helper-address 192.168.101.215
!
router eigrp 1
 network 10.0.0.0
 network 192.168.106.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.101.0 255.255.255.0 10.10.10.1
ip route 192.168.102.0 255.255.255.0 10.10.10.14
ip route 192.168.103.0 255.255.255.0 10.10.10.14
ip route 192.168.104.0 255.255.255.0 10.10.10.6
ip route 192.168.105.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.110.0 255.255.255.0 10.10.10.4
ip route 192.168.111.0 255.255.255.0 10.10.10.2
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.5
ip route 192.168.115.0 255.255.255.0 10.10.10.14
ip http server
!
logging trap debugging
logging 192.168.101.202
!
control-plane
!
!
line con 0
line vty 0 4
 password 
 login
 length 0
line vty 5 15
 password 
 login
!
end
 
LIBRARY#

Open in new window

0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 24798595
I'm not going to get into fooling with raw Config files,...they just make me dizzy.  My posts should be clear enough for you to decide what you want to do.  Deciding the correct approach is most of the battle,...after that you can quickly look up the syntax in a reference source.
0
 

Author Comment

by:CityofKerrville
ID: 24825023
Ok, so I have added a test machine to the Public VLAN and all seems to be working so far.  Now I need an ACL in my 2821 that pemits all traffic from IP range 172.16.0.0 internet access and denies access to everything on the 192.168.0.0.  After that is in place, I may want tot he grant individual IPs or a range of IP on the 192.168.0.0 admininstratvie access to machines on the 172.16.0.0.  I will keep plugging away on my end for an answer.  Anyon ehave any ideas?
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 24825059
Sounds like you are doing fine and moving in the right direction.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question