We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Remote Site VLAN for internet ONLY

Medium Priority
1,094 Views
Last Modified: 2012-06-27
Hello EE,

We are looking for a way to better manage our bank of public access computer at our city library.  Currently, we have 15-20 PC that are completely segregate and use an entirely separate internet connection.  Our current internal infrastructure between the City Library (Site B) and City Hall (Site A) consists of a Cisco 2821 ISR, Time Warner Managed Metro Ethernet, and a Cisco Catalyst 3560 Switch.  We are looking to create a VLAN that will carry all traffic from the public network, across the Metro Ethernet and through our existing ASA for internet access only.  This network should be completely segregated from our city network with limited administrative access (i.e. wsus, web filtering, remote access).  Any thoughts, ideas, config examples, etc are greatly appreciated.  Please see the diagram below for clarification

Public-VLAN-070709.png
Comment
Watch Question

Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Kyle LambertIT Manager
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Here is the existing config for the 3560
LIBRARY#sh conf
Using 4074 out of 524288 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LIBRARY
!
enable secret 5 
enable password 
!
no aaa new-model
system mtu routing 1500
vtp domain LIBRARY
vtp mode transparent
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 60
!
interface FastEthernet0/1
 switchport access vlan 60
 switchport mode access
 spanning-tree portfast
!
~~~~~~~~~~~~~~interfaces truncated
!
interface FastEthernet0/23
 switchport access vlan 60
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 description METRO ETHERNET PORT
 no switchport
 ip address 10.10.10.8 255.255.255.240
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan60
 description LIBRARY
 ip address 192.168.106.1 255.255.255.0
 ip helper-address 192.168.101.215
!
router eigrp 1
 network 10.0.0.0
 network 192.168.106.0
 auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.101.0 255.255.255.0 10.10.10.1
ip route 192.168.102.0 255.255.255.0 10.10.10.14
ip route 192.168.103.0 255.255.255.0 10.10.10.14
ip route 192.168.104.0 255.255.255.0 10.10.10.6
ip route 192.168.105.0 255.255.255.0 10.10.10.7
ip route 192.168.107.0 255.255.255.0 10.10.10.9
ip route 192.168.109.0 255.255.255.0 10.10.10.3
ip route 192.168.110.0 255.255.255.0 10.10.10.4
ip route 192.168.111.0 255.255.255.0 10.10.10.2
ip route 192.168.112.0 255.255.255.0 10.10.10.10
ip route 192.168.113.0 255.255.255.0 10.10.10.5
ip route 192.168.115.0 255.255.255.0 10.10.10.14
ip http server
!
logging trap debugging
logging 192.168.101.202
!
control-plane
!
!
line con 0
line vty 0 4
 password 
 login
 length 0
line vty 5 15
 password 
 login
!
end
 
LIBRARY#

Open in new window

Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok, so I have added a test machine to the Public VLAN and all seems to be working so far.  Now I need an ACL in my 2821 that pemits all traffic from IP range 172.16.0.0 internet access and denies access to everything on the 192.168.0.0.  After that is in place, I may want tot he grant individual IPs or a range of IP on the 192.168.0.0 admininstratvie access to machines on the 172.16.0.0.  I will keep plugging away on my end for an answer.  Anyon ehave any ideas?
Most Valuable Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.