Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Remote Site VLAN for internet ONLY

Posted on 2009-07-07
7
Medium Priority
?
1,042 Views
Last Modified: 2012-06-27
Hello EE,

We are looking for a way to better manage our bank of public access computer at our city library.  Currently, we have 15-20 PC that are completely segregate and use an entirely separate internet connection.  Our current internal infrastructure between the City Library (Site B) and City Hall (Site A) consists of a Cisco 2821 ISR, Time Warner Managed Metro Ethernet, and a Cisco Catalyst 3560 Switch.  We are looking to create a VLAN that will carry all traffic from the public network, across the Metro Ethernet and through our existing ASA for internet access only.  This network should be completely segregated from our city network with limited administrative access (i.e. wsus, web filtering, remote access).  Any thoughts, ideas, config examples, etc are greatly appreciated.  Please see the diagram below for clarification

Public-VLAN-070709.png
0
Comment
Question by:CityofKerrville
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 1600 total points
ID: 24797905
It is done 100% by ACLs on the 2821 Router.
The ASA is really irrelevant,...it will allow or disallow them from using the Internet but it has no "authority" or any "means" to be involved in the interaction between the Public Network and the rest of your other networks,
The help with the "perspective",..the Red/Blue Line should stop at the 2821.  It does not continue on to the ASA or the Internet.  The Red/Blue Line between the 3560 and the 2821 is really a Trunk Line carrying two VLANs (networks) over the same physical wire.  So if you collapse the VLAN and Metro Ethernet from the illustration it would be the same thing as this:
 

MultiSubnetSimpleLAN.jpg
0
 
LVL 2

Assisted Solution

by:Kyle Lambert
Kyle Lambert earned 400 total points
ID: 24797994
The simplest way I can think of would be to segregate the Public Network into a separate VLAN on the Cisco 3560 then place an ACL on the Cisco 2821 to only allow port 80 requests inbound from the Metro Ethernet (10.10.x.x).

However, if you currently only have 1 VLAN (or basically no VLAN) on the 3560 switch, then you will either have to do 1 of two things in order for it to properly route through the 2821 router. You will either have to create a trunk between the two or have two connections to the router. I highly suggest the first option because the router may only have one interface available to you. But when you create the trunk, you will also have to configure the router for 802.1q Encapsulation in order to route traffic through 1 interface (the trunk to the switch).

Here is some information on 802.1q:

http://www.cisco.com/en/US/docs/routers/access/1700/1701/software/configuration/guide/vlans.html

and here is some information on trunk ports:

http://www.techsneeze.com/create-vlan-trunk-between-cisco-ios-and-foundry-bigiron

You should be able to accomplish what you want with this information, but I would also do some research on Captive Portals since you mentioned that this is for a library. Basically what captive portal is, is a system that requires users to get authorization in order to use the internet. If you have ever been to a hotel and tried to used their internet, the web page will redirect you to their homepage where you either have to enter in a code, ask for a certificate, or pay with a credit card in order to use their service. In any case, it is an interesting subject to look into.

Hope this helped.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1600 total points
ID: 24798289
It would have to already be VLANed at the 3560 currently for this LAN to be operating properly, so that is probably already done.
After that all it takes is an ACL on the 2821,..all done,..that's it.
Even if it wasn't  a separate segment the ACLs can be applied to an arbitrary range of IP#s or a list of non-sequential IP#s.  Although the non-sequential IP#s would be messy,...a separate ACL for each I believe.
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Author Comment

by:CityofKerrville
ID: 24798422
Here is the existing config for the 3560
LIBRARY#sh conf
Using 4074 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LIBRARY
!
enable secret 5 
enable password 
!
no aaa new-model
system mtu routing 1500
vtp domain LIBRARY
vtp mode transparent
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 60
!
interface FastEthernet0/1
 switchport access vlan 60
 switchport mode access
 spanning-tree portfast
!
~~~~~~~~~~~~~~interfaces truncated
!
interface FastEthernet0/23
 switchport access vlan 60
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 description METRO ETHERNET PORT
 no switchport
 ip address 10.10.10.8 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan60
 description LIBRARY
 ip address 192.168.106.1 255.255.255.0
 ip helper-address 192.168.101.215
!
router eigrp 1
 network 10.0.0.0
 network 192.168.106.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.101.0 255.255.255.0 10.10.10.1
ip route 192.168.102.0 255.255.255.0 10.10.10.14
ip route 192.168.103.0 255.255.255.0 10.10.10.14
ip route 192.168.104.0 255.255.255.0 10.10.10.6
ip route 192.168.105.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.110.0 255.255.255.0 10.10.10.4
ip route 192.168.111.0 255.255.255.0 10.10.10.2
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.5
ip route 192.168.115.0 255.255.255.0 10.10.10.14
ip http server
!
logging trap debugging
logging 192.168.101.202
!
control-plane
!
!
line con 0
line vty 0 4
 password 
 login
 length 0
line vty 5 15
 password 
 login
!
end
 
LIBRARY#

Open in new window

0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1600 total points
ID: 24798595
I'm not going to get into fooling with raw Config files,...they just make me dizzy.  My posts should be clear enough for you to decide what you want to do.  Deciding the correct approach is most of the battle,...after that you can quickly look up the syntax in a reference source.
0
 

Author Comment

by:CityofKerrville
ID: 24825023
Ok, so I have added a test machine to the Public VLAN and all seems to be working so far.  Now I need an ACL in my 2821 that pemits all traffic from IP range 172.16.0.0 internet access and denies access to everything on the 192.168.0.0.  After that is in place, I may want tot he grant individual IPs or a range of IP on the 192.168.0.0 admininstratvie access to machines on the 172.16.0.0.  I will keep plugging away on my end for an answer.  Anyon ehave any ideas?
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1600 total points
ID: 24825059
Sounds like you are doing fine and moving in the right direction.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question