Solved

Remote Site VLAN for internet ONLY

Posted on 2009-07-07
7
1,032 Views
Last Modified: 2012-06-27
Hello EE,

We are looking for a way to better manage our bank of public access computer at our city library.  Currently, we have 15-20 PC that are completely segregate and use an entirely separate internet connection.  Our current internal infrastructure between the City Library (Site B) and City Hall (Site A) consists of a Cisco 2821 ISR, Time Warner Managed Metro Ethernet, and a Cisco Catalyst 3560 Switch.  We are looking to create a VLAN that will carry all traffic from the public network, across the Metro Ethernet and through our existing ASA for internet access only.  This network should be completely segregated from our city network with limited administrative access (i.e. wsus, web filtering, remote access).  Any thoughts, ideas, config examples, etc are greatly appreciated.  Please see the diagram below for clarification

Public-VLAN-070709.png
0
Comment
Question by:CityofKerrville
  • 4
  • 2
7 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 400 total points
ID: 24797905
It is done 100% by ACLs on the 2821 Router.
The ASA is really irrelevant,...it will allow or disallow them from using the Internet but it has no "authority" or any "means" to be involved in the interaction between the Public Network and the rest of your other networks,
The help with the "perspective",..the Red/Blue Line should stop at the 2821.  It does not continue on to the ASA or the Internet.  The Red/Blue Line between the 3560 and the 2821 is really a Trunk Line carrying two VLANs (networks) over the same physical wire.  So if you collapse the VLAN and Metro Ethernet from the illustration it would be the same thing as this:
 

MultiSubnetSimpleLAN.jpg
0
 
LVL 2

Assisted Solution

by:Ar3s
Ar3s earned 100 total points
ID: 24797994
The simplest way I can think of would be to segregate the Public Network into a separate VLAN on the Cisco 3560 then place an ACL on the Cisco 2821 to only allow port 80 requests inbound from the Metro Ethernet (10.10.x.x).

However, if you currently only have 1 VLAN (or basically no VLAN) on the 3560 switch, then you will either have to do 1 of two things in order for it to properly route through the 2821 router. You will either have to create a trunk between the two or have two connections to the router. I highly suggest the first option because the router may only have one interface available to you. But when you create the trunk, you will also have to configure the router for 802.1q Encapsulation in order to route traffic through 1 interface (the trunk to the switch).

Here is some information on 802.1q:

http://www.cisco.com/en/US/docs/routers/access/1700/1701/software/configuration/guide/vlans.html

and here is some information on trunk ports:

http://www.techsneeze.com/create-vlan-trunk-between-cisco-ios-and-foundry-bigiron

You should be able to accomplish what you want with this information, but I would also do some research on Captive Portals since you mentioned that this is for a library. Basically what captive portal is, is a system that requires users to get authorization in order to use the internet. If you have ever been to a hotel and tried to used their internet, the web page will redirect you to their homepage where you either have to enter in a code, ask for a certificate, or pay with a credit card in order to use their service. In any case, it is an interesting subject to look into.

Hope this helped.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 24798289
It would have to already be VLANed at the 3560 currently for this LAN to be operating properly, so that is probably already done.
After that all it takes is an ACL on the 2821,..all done,..that's it.
Even if it wasn't  a separate segment the ACLs can be applied to an arbitrary range of IP#s or a list of non-sequential IP#s.  Although the non-sequential IP#s would be messy,...a separate ACL for each I believe.
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 

Author Comment

by:CityofKerrville
ID: 24798422
Here is the existing config for the 3560
LIBRARY#sh conf

Using 4074 out of 524288 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname LIBRARY

!

enable secret 5 

enable password 

!

no aaa new-model

system mtu routing 1500

vtp domain LIBRARY

vtp mode transparent

ip subnet-zero

ip routing

!

!

!

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 60

!

interface FastEthernet0/1

 switchport access vlan 60

 switchport mode access

 spanning-tree portfast

!

~~~~~~~~~~~~~~interfaces truncated

!

interface FastEthernet0/23

 switchport access vlan 60

 switchport mode access

 spanning-tree portfast

!

interface FastEthernet0/24

 description METRO ETHERNET PORT

 no switchport

 ip address 10.10.10.8 255.255.255.240

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

 no ip address

 shutdown

!

interface Vlan60

 description LIBRARY

 ip address 192.168.106.1 255.255.255.0

 ip helper-address 192.168.101.215

!

router eigrp 1

 network 10.0.0.0

 network 192.168.106.0

 auto-summary

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.10.10.1

ip route 192.168.101.0 255.255.255.0 10.10.10.1

ip route 192.168.102.0 255.255.255.0 10.10.10.14

ip route 192.168.103.0 255.255.255.0 10.10.10.14

ip route 192.168.104.0 255.255.255.0 10.10.10.6

ip route 192.168.105.0 255.255.255.0 10.10.10.7

ip route 192.168.107.0 255.255.255.0 10.10.10.9

ip route 192.168.109.0 255.255.255.0 10.10.10.3

ip route 192.168.110.0 255.255.255.0 10.10.10.4

ip route 192.168.111.0 255.255.255.0 10.10.10.2

ip route 192.168.112.0 255.255.255.0 10.10.10.10

ip route 192.168.113.0 255.255.255.0 10.10.10.5

ip route 192.168.115.0 255.255.255.0 10.10.10.14

ip http server

!

logging trap debugging

logging 192.168.101.202

!

control-plane

!

!

line con 0

line vty 0 4

 password 

 login

 length 0

line vty 5 15

 password 

 login

!

end
 

LIBRARY#

Open in new window

0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 24798595
I'm not going to get into fooling with raw Config files,...they just make me dizzy.  My posts should be clear enough for you to decide what you want to do.  Deciding the correct approach is most of the battle,...after that you can quickly look up the syntax in a reference source.
0
 

Author Comment

by:CityofKerrville
ID: 24825023
Ok, so I have added a test machine to the Public VLAN and all seems to be working so far.  Now I need an ACL in my 2821 that pemits all traffic from IP range 172.16.0.0 internet access and denies access to everything on the 192.168.0.0.  After that is in place, I may want tot he grant individual IPs or a range of IP on the 192.168.0.0 admininstratvie access to machines on the 172.16.0.0.  I will keep plugging away on my end for an answer.  Anyon ehave any ideas?
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 400 total points
ID: 24825059
Sounds like you are doing fine and moving in the right direction.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

29 Experts available now in Live!

Get 1:1 Help Now