Solved

Remote Site VLAN for internet ONLY

Posted on 2009-07-07
7
1,029 Views
Last Modified: 2012-06-27
Hello EE,

We are looking for a way to better manage our bank of public access computer at our city library.  Currently, we have 15-20 PC that are completely segregate and use an entirely separate internet connection.  Our current internal infrastructure between the City Library (Site B) and City Hall (Site A) consists of a Cisco 2821 ISR, Time Warner Managed Metro Ethernet, and a Cisco Catalyst 3560 Switch.  We are looking to create a VLAN that will carry all traffic from the public network, across the Metro Ethernet and through our existing ASA for internet access only.  This network should be completely segregated from our city network with limited administrative access (i.e. wsus, web filtering, remote access).  Any thoughts, ideas, config examples, etc are greatly appreciated.  Please see the diagram below for clarification

Public-VLAN-070709.png
0
Comment
Question by:CityofKerrville
  • 4
  • 2
7 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 400 total points
Comment Utility
It is done 100% by ACLs on the 2821 Router.
The ASA is really irrelevant,...it will allow or disallow them from using the Internet but it has no "authority" or any "means" to be involved in the interaction between the Public Network and the rest of your other networks,
The help with the "perspective",..the Red/Blue Line should stop at the 2821.  It does not continue on to the ASA or the Internet.  The Red/Blue Line between the 3560 and the 2821 is really a Trunk Line carrying two VLANs (networks) over the same physical wire.  So if you collapse the VLAN and Metro Ethernet from the illustration it would be the same thing as this:
 

MultiSubnetSimpleLAN.jpg
0
 
LVL 2

Assisted Solution

by:Ar3s
Ar3s earned 100 total points
Comment Utility
The simplest way I can think of would be to segregate the Public Network into a separate VLAN on the Cisco 3560 then place an ACL on the Cisco 2821 to only allow port 80 requests inbound from the Metro Ethernet (10.10.x.x).

However, if you currently only have 1 VLAN (or basically no VLAN) on the 3560 switch, then you will either have to do 1 of two things in order for it to properly route through the 2821 router. You will either have to create a trunk between the two or have two connections to the router. I highly suggest the first option because the router may only have one interface available to you. But when you create the trunk, you will also have to configure the router for 802.1q Encapsulation in order to route traffic through 1 interface (the trunk to the switch).

Here is some information on 802.1q:

http://www.cisco.com/en/US/docs/routers/access/1700/1701/software/configuration/guide/vlans.html

and here is some information on trunk ports:

http://www.techsneeze.com/create-vlan-trunk-between-cisco-ios-and-foundry-bigiron

You should be able to accomplish what you want with this information, but I would also do some research on Captive Portals since you mentioned that this is for a library. Basically what captive portal is, is a system that requires users to get authorization in order to use the internet. If you have ever been to a hotel and tried to used their internet, the web page will redirect you to their homepage where you either have to enter in a code, ask for a certificate, or pay with a credit card in order to use their service. In any case, it is an interesting subject to look into.

Hope this helped.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
Comment Utility
It would have to already be VLANed at the 3560 currently for this LAN to be operating properly, so that is probably already done.
After that all it takes is an ACL on the 2821,..all done,..that's it.
Even if it wasn't  a separate segment the ACLs can be applied to an arbitrary range of IP#s or a list of non-sequential IP#s.  Although the non-sequential IP#s would be messy,...a separate ACL for each I believe.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:CityofKerrville
Comment Utility
Here is the existing config for the 3560
LIBRARY#sh conf

Using 4074 out of 524288 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname LIBRARY

!

enable secret 5 

enable password 

!

no aaa new-model

system mtu routing 1500

vtp domain LIBRARY

vtp mode transparent

ip subnet-zero

ip routing

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 60

!

interface FastEthernet0/1

 switchport access vlan 60

 switchport mode access

 spanning-tree portfast

!

~~~~~~~~~~~~~~interfaces truncated

!

interface FastEthernet0/23

 switchport access vlan 60

 switchport mode access

 spanning-tree portfast

!

interface FastEthernet0/24

 description METRO ETHERNET PORT

 no switchport

 ip address 10.10.10.8 255.255.255.240

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan60

 description LIBRARY

 ip address 192.168.106.1 255.255.255.0

 ip helper-address 192.168.101.215

!

router eigrp 1

 network 10.0.0.0

 network 192.168.106.0

 auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 192.168.101.0 255.255.255.0 10.10.10.1

ip route 192.168.102.0 255.255.255.0 10.10.10.14

ip route 192.168.103.0 255.255.255.0 10.10.10.14

ip route 192.168.104.0 255.255.255.0 10.10.10.6

ip route 192.168.105.0 255.255.255.0 10.10.10.7

ip route 192.168.107.0 255.255.255.0 10.10.10.9

ip route 192.168.109.0 255.255.255.0 10.10.10.3

ip route 192.168.110.0 255.255.255.0 10.10.10.4

ip route 192.168.111.0 255.255.255.0 10.10.10.2

ip route 192.168.112.0 255.255.255.0 10.10.10.10

ip route 192.168.113.0 255.255.255.0 10.10.10.5

ip route 192.168.115.0 255.255.255.0 10.10.10.14

ip http server

!

logging trap debugging

logging 192.168.101.202

!

control-plane

!

!

line con 0

line vty 0 4

 password 

 login

 length 0

line vty 5 15

 password 

 login

!

end
 

LIBRARY#

Open in new window

0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
Comment Utility
I'm not going to get into fooling with raw Config files,...they just make me dizzy.  My posts should be clear enough for you to decide what you want to do.  Deciding the correct approach is most of the battle,...after that you can quickly look up the syntax in a reference source.
0
 

Author Comment

by:CityofKerrville
Comment Utility
Ok, so I have added a test machine to the Public VLAN and all seems to be working so far.  Now I need an ACL in my 2821 that pemits all traffic from IP range 172.16.0.0 internet access and denies access to everything on the 192.168.0.0.  After that is in place, I may want tot he grant individual IPs or a range of IP on the 192.168.0.0 admininstratvie access to machines on the 172.16.0.0.  I will keep plugging away on my end for an answer.  Anyon ehave any ideas?
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
Comment Utility
Sounds like you are doing fine and moving in the right direction.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now